Skip to main content

Layout

1 CVEs product

Monthly

CVE-2026-15598 MEDIUM This Month

Prototype pollution in antv layout 2.0.0 exposes JavaScript runtimes to object prototype manipulation via the `setNestedValue` function in `lib/util/object.js`, where a crafted `path` argument can inject arbitrary properties into the global Object prototype. The CVSS 4.0 vector (AV:N/AC:L/PR:L) indicates network-reachable exploitation requiring low-privilege authentication, with limited but real confidentiality, integrity, and availability impact depending on how downstream application code consumes polluted prototype properties. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the vendor has not responded to the responsible disclosure filed via GitHub issue #292, leaving no patch timeline available.

Information Disclosure Prototype Pollution Layout
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.3%
EPSS 0% CVSS 5.3
MEDIUM This Month

Prototype pollution in antv layout 2.0.0 exposes JavaScript runtimes to object prototype manipulation via the `setNestedValue` function in `lib/util/object.js`, where a crafted `path` argument can inject arbitrary properties into the global Object prototype. The CVSS 4.0 vector (AV:N/AC:L/PR:L) indicates network-reachable exploitation requiring low-privilege authentication, with limited but real confidentiality, integrity, and availability impact depending on how downstream application code consumes polluted prototype properties. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the vendor has not responded to the responsible disclosure filed via GitHub issue #292, leaving no patch timeline available.

Information Disclosure Prototype Pollution Layout
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy