Skip to main content

Mingo

1 CVEs product

Monthly

CVE-2026-15698 LOW PATCH Monitor

Prototype pollution in kofrasa mingo up to version 7.2.1 allows low-privileged remote attackers to corrupt JavaScript Object.prototype by supplying `__proto__` as a field selector in `$set`, `updateOne`, or `updateMany` operations, injecting arbitrary properties into all objects within the Node.js process. Proof-of-concept exploit code exists (CVSS 4.0 E:P), and successful exploitation can cascade to application-wide privilege logic bypass, information disclosure, or denial of service depending on how the host application relies on inherited object properties. Vendor-released patch version 7.2.2 is confirmed available.

Prototype Pollution Information Disclosure Mingo
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Prototype pollution in kofrasa mingo up to version 7.2.1 allows low-privileged remote attackers to corrupt JavaScript Object.prototype by supplying `__proto__` as a field selector in `$set`, `updateOne`, or `updateMany` operations, injecting arbitrary properties into all objects within the Node.js process. Proof-of-concept exploit code exists (CVSS 4.0 E:P), and successful exploitation can cascade to application-wide privilege logic bypass, information disclosure, or denial of service depending on how the host application relies on inherited object properties. Vendor-released patch version 7.2.2 is confirmed available.

Prototype Pollution Information Disclosure Mingo
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy