Skip to main content

Db

1 CVEs product

Monthly

CVE-2026-15607 LOW POC PATCH Monitor

Prototype pollution in TanStack DB's select() query compiler allows low-privileged remote attackers to mutate Object.prototype by supplying dot-notation alias paths containing reserved JavaScript property names such as __proto__, prototype, or constructor. Versions up to 0.6.8 are confirmed affected via CPE cpe:2.3:a:tanstack:db. A publicly available exploit exists (GitHub issue #1584), though the vulnerability is not in CISA KEV. The CVSS 4.0 base score of 2.1 reflects low integrity impact scoped to the vulnerable system, but the downstream consequences of Object.prototype mutation in JavaScript runtimes can exceed what raw scoring conveys depending on application logic.

Information Disclosure Prototype Pollution Db
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Prototype pollution in TanStack DB's select() query compiler allows low-privileged remote attackers to mutate Object.prototype by supplying dot-notation alias paths containing reserved JavaScript property names such as __proto__, prototype, or constructor. Versions up to 0.6.8 are confirmed affected via CPE cpe:2.3:a:tanstack:db. A publicly available exploit exists (GitHub issue #1584), though the vulnerability is not in CISA KEV. The CVSS 4.0 base score of 2.1 reflects low integrity impact scoped to the vulnerable system, but the downstream consequences of Object.prototype mutation in JavaScript runtimes can exceed what raw scoring conveys depending on application logic.

Information Disclosure Prototype Pollution Db
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy