Skip to main content

Prototype Pollution CVE-2026-6621

| EUVDEUVD-2026-23812 MEDIUM
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-04-20 VulDB GHSA-vr46-pfqh-wpf8
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Severity Changed
Apr 20, 2026 - 09:37 NVD
HIGH MEDIUM
CVSS changed
Apr 20, 2026 - 09:37 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Apr 20, 2026 - 08:58 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 08:45 euvd
EUVD-2026-23812
Analysis Generated
Apr 20, 2026 - 08:45 vuln.today
CVE Published
Apr 20, 2026 - 08:30 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an unknown function of the file index.js. This manipulation of the argument __proto__ causes improperly controlled modification of object prototype attributes. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The code repository of the project has not been active for many years.

AnalysisAI

Prototype pollution in extend-deep npm package (up to 0.1.6) enables remote attackers to manipulate JavaScript object prototypes via crafted __proto__ payloads, achieving low-severity confidentiality, integrity, and availability impacts. Public exploit code exists on GitHub. CVSS 7.3 with network attack vector and no authentication required. Project repository inactive for years, making official patch unlikely. EPSS data unavailable, but prototype pollution attacks are well-understood and automatable. Not listed in CISA KEV, suggesting limited widespread exploitation despite public POC.

Technical ContextAI

The extend-deep library (cpe:2.3:a:1024bit:extend-deep) is a JavaScript utility for deep object merging, commonly used in Node.js applications. This vulnerability stems from CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), the classic prototype pollution class. When extend-deep processes untrusted input containing __proto__ keys in index.js, it fails to sanitize property names during recursive object extension. Attackers can inject properties into Object.prototype, affecting all JavaScript objects in the application's runtime. This is a widespread vulnerability pattern in legacy JavaScript merge utilities predating modern secure-by-default alternatives. The affected package exists in the npm ecosystem and may be deeply embedded in dependency trees despite project abandonment.

RemediationAI

No vendor-released patch exists or will be released given the project's multi-year abandonment (RL:X). Primary remediation is dependency replacement: migrate to actively maintained alternatives such as lodash.merge (with prototype pollution protections enabled), deepmerge (version 4.3.0+), or native Object.assign/spread operators for shallow merging. Use npm audit or yarn audit to identify direct and transitive dependencies on extend-deep, then update parent packages that pull it in or fork/patch the dependency chain. Immediate compensating controls: implement input validation to reject or strip __proto__, constructor, and prototype keys before passing objects to extend-deep; deploy Object.freeze(Object.prototype) at application startup to prevent prototype modifications (may break legitimate code); run applications with --frozen-intrinsics flag in Node.js 18+ to lock built-in prototypes. Note that freezing prototypes can cause compatibility issues with legacy libraries expecting mutable prototypes. Runtime application self-protection (RASP) solutions can detect prototype pollution attempts. For containerized deployments, use minimal base images and dependency pinning to prevent introducing the package in new builds. Long-term: establish dependency lifecycle management to sunset unmaintained packages before vulnerabilities emerge.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

CVE-2026-6621 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy