ReportizFlow
Filtered by vendor
Subscriptions
Total
416 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-21548 | 2025-07-24 | 7.5 High | ||
| Versions of the package bun after 0.0.12 and before 1.1.30 are vulnerable to Prototype Pollution due to improper input sanitization. An attacker can exploit this vulnerability through Bun's APIs that accept objects. **Note:** This issue relates to the widely known and actively developed 'Bun' JavaScript runtime. The bun package on NPM at versions 0.0.12 and below belongs to a different and older project that happened to claim the 'bun' name in the past. | ||||
| CVE-2023-45811 | 1 Relative | 1 Synchrony | 2025-07-22 | 8.2 High |
| Synchrony deobfuscator is a javascript cleaner & deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in `[email protected]`. Users are advised to upgrade. Users unable to upgrade should launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flags | ||||
| CVE-2025-53626 | 2025-07-15 | 6.1 Medium | ||
| pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1. | ||||
| CVE-2025-27597 | 1 Intlify | 1 Vue-i18n | 2025-07-12 | N/A |
| Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context. | ||||
| CVE-2024-39853 | 1 Swiperjs | 1 Swiper | 2025-07-11 | 6.5 Medium |
| adolph_dudu ratio-swiper 0.0.2 was discovered to contain a prototype pollution via the function parse. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2024-39003 | 1 Amoyjs | 1 Common | 2025-07-07 | 7.3 High |
| amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function setValue. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2024-39000 | 2 Adolphdudu, Swiperjs | 2 Ratio-swiper, Swiper | 2025-07-07 | 6.5 Medium |
| adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function parse. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2024-38997 | 2 Adolphdudu, Swiperjs | 2 Ratio-swiper, Swiper | 2025-07-07 | 6.5 Medium |
| adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function extendDefaults. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2024-38994 | 1 Amoyjs | 1 Common | 2025-07-07 | 7.3 High |
| amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2024-11628 | 1 Progress | 1 Kendo Ui For Vue | 2025-06-27 | 4.1 Medium |
| In Progress® Telerik® Kendo UI for Vue versions v2.4.0 through v6.0.1, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection. | ||||
| CVE-2024-12629 | 1 Progress | 1 Kendoreact | 2025-06-27 | 4.1 Medium |
| In Progress® Telerik® KendoReact versions v3.5.0 through v9.4.0, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection. | ||||
| CVE-2024-23339 | 1 Elijahharry | 1 Hoolock | 2025-06-18 | 6.3 Medium |
| hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object prototypes. Starting in version 2.2.1, the `get`, `set` and `update` functions throw a `TypeError` when a user attempts to access or alter inherited properties. | ||||
| CVE-2024-21509 | 1 Sidorares | 1 Mysql2 | 2025-06-17 | 6.5 Medium |
| Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js. | ||||
| CVE-2025-49223 | 1 Naver | 1 Billboard.js | 2025-06-06 | 9.8 Critical |
| billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||||
| CVE-2024-34148 | 1 Jenkins | 2 Jenkins, Subversion Partial Release Manager | 2025-06-06 | 6.8 Medium |
| Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically disables the fix for CVE-2016-3721 whenever a build is triggered from a release tag, by setting the Java system property 'hudson.model.ParametersAction.keepUndefinedParameters'. | ||||
| CVE-2023-46308 | 1 Plotly | 1 Plotly.js | 2025-06-03 | 9.8 Critical |
| In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty. | ||||
| CVE-2023-39296 | 1 Qnap | 2 Qts, Quts Hero | 2025-06-03 | 7.5 High |
| A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later | ||||
| CVE-2025-5150 | 1 Linuxfoundation | 1 Docarray | 2025-06-03 | 6.3 Medium |
| A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function __getitem__ of the file /docarray/data/torch_dataset.py of the component Web API. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-37265 | 1 Stealjs | 1 Steal | 2025-05-28 | 9.8 Critical |
| Prototype pollution vulnerability in stealjs steal 2.2.4 via the alias variable in babel.js. | ||||
| CVE-2025-48054 | 2025-05-28 | N/A | ||
| Radashi is a TypeScript utility toolkit. Prior to version 12.5.1, the set function within the Radashi library is vulnerable to prototype pollution. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios. This issue has been patched in version 12.5.1. A workaround for this issue involves sanitizing the path argument provided to the set function to ensure that no part of the path string is __proto__, prototype, or constructor. | ||||