CWE-1321

Prototype pollution in @nevware21/ts-utils versions <= 0.13.0 allows attackers to corrupt the global Object prototype by passing crafted JSON containing a __proto__ key to objDeepCopy or objCopyProps. The flaw resides in the _copyProps helper, which iterates source properties with for...in without hasOwnProperty filtering and does not block dangerous keys. Publicly available exploit code exists via the vendor's GHSA proof-of-concept, though no public exploit identified at time of analysis beyond the disclosure PoC, and no KEV listing.

Cookie-attribute injection in js-cookie versions 3.0.5 and earlier allows remote attackers to override security-relevant Set-Cookie attributes (domain, secure, samesite, expires, path) by supplying a JSON-derived attributes object containing a __proto__ key. Publicly available exploit code exists in the GHSA-qjx8-664m-686j advisory demonstrating per-instance prototype hijack via the assign() helper. No active exploitation has been observed, and the issue is fixed in 3.0.7.

Prototype pollution in MongoDB Compass's CSV import parsing logic creates a '1-click' command execution path across versions 1.36.x through 1.49.5. A crafted CSV file can pollute JavaScript object prototypes during the import workflow, causing untrusted file paths to reach Electron's shell.openExternal() API and be executed by the operating system's default handler. No public exploit code has been identified and this CVE is absent from CISA KEV, but the passive user-interaction requirement - simply importing a CSV as part of routine database work - makes targeted social engineering a credible delivery vector in data-heavy environments.

Prototype pollution in the @tmlmobilidade/utils npm package allows remote unauthenticated attackers to inject properties into Object.prototype via the setValueAtPath() helper, leading to integrity compromise and partial availability impact in any downstream application that passes user-influenced paths into the function. The flaw is rated CVSS 8.2 (AV:N/AC:L/PR:N/UI:N) and is fixed in version 20260509.0340.15; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Prototype pollution in the npm package parse-nested-form-data version 1.0.0 and earlier allows unauthenticated remote clients to mutate Object.prototype of the running Node.js process by submitting a FormData field whose name contains __proto__ in bracket or dot notation. The flaw resides in handlePathPart in src/index.ts, which walks nested path segments without filtering reserved keys, so a single crafted field name pollutes the prototype chain of every plain object in the process. No public exploit identified at time of analysis, but a working proof-of-concept is published in the GHSA advisory itself.

Prototype pollution in the npm package form-data-objectizer (<= 1.0.0) lets unauthenticated remote attackers mutate Object.prototype by submitting a single HTTP form field whose name uses bracket notation such as __proto__[polluted] or constructor[prototype][polluted]. The defect lives in treatInitial/treatSecond inside index.cjs, where an 'in' check walks the prototype chain and lets the parser write to inherited properties. CVSS is 8.2 (High) with Integrity:High; publicly available exploit code exists (working PoC published in the GHSA advisory), but there is no public exploit identified as being used in attacks and no CISA KEV listing.

Prototype pollution in the jsondiffpatch JavaScript library before 0.7.6 allows attackers to modify Object.prototype by supplying crafted delta documents to jsondiffpatch.patch() or JSON Patch documents to the jsonpatch formatter's patch() API. Because attacker-controlled key names and JSON Pointer path segments were used to traverse and mutate objects without filtering __proto__, constructor, or prototype, any application that feeds untrusted diffs into the library can have global object behavior tampered with. A public POC exists in the Snyk advisory and an accompanying gist, but there is no public exploit identified at time of analysis (not on CISA KEV).

Prototype pollution in @ranfdev/deepobj npm package (versions ≤1.0.2) allows remote unauthenticated attackers to modify JavaScript object prototypes when property paths containing '__proto__', 'constructor', or 'prototype' are processed. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation against network-accessible applications, though real-world impact depends critically on whether user-controlled input is passed to property path parameters. EPSS data unavailable; not listed in CISA KEV. Publicly available exploit code exists (GitHub advisory GHSA-x7q7-fchv-8h2j). Vendor-released patch available in version 1.0.3.

Remote code execution in n8n workflow automation platform allows authenticated users with workflow editing permissions to exploit a prototype pollution patch bypass in the XML node component. The vulnerability (CVE-2026-44791) affects n8n versions prior to 1.123.43, 2.20.7, and 2.22.1, building on a previous incomplete fix (GHSA-hqr4-h3xv-9m3r). Vendor-released patches are available across all affected version branches. CVSS 3.1 score of 9.9 (Critical) reflects network-accessible attack requiring low-privilege authentication with changed scope enabling full system compromise. No public exploit identified at time of analysis, though the existence of a prior related vulnerability (GHSA-hqr4-h3xv-9m3r) suggests attackers familiar with the original issue could adapt techniques.

Prototype pollution in n8n's HTTP Request node enables authenticated users with workflow permissions to achieve remote code execution. The vulnerability stems from an unvalidated pagination parameter that can be exploited to pollute JavaScript's global prototype, which combined with chaining techniques escalates to arbitrary code execution on the n8n instance. Affects n8n versions prior to 1.123.43, 2.0.0-rc.0 through 2.20.6, and 2.21.0 through 2.22.0. Vendor-released patches are available for all affected branches. No public exploit code or active exploitation (CISA KEV) identified at time of analysis, though the technical details in the GitHub advisory provide sufficient information for exploit development by skilled attackers.