Total
375 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-27597 | 2025-03-07 | N/A | N/A | ||
| Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context. | |||||
| CVE-2023-26106 | 1 Dot-lens Project | 1 Dot-lens | 2025-03-05 | N/A | 7.5 HIGH |
| All versions of the package dot-lens are vulnerable to Prototype Pollution via the set() function in index.js file. | |||||
| CVE-2020-7709 | 1 Manuelstofer | 1 Json-pointer | 2025-03-05 | 6.5 MEDIUM | 6.0 MEDIUM |
| This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported. | |||||
| CVE-2024-11628 | 1 Telerik | 1 Kendo Ui For Vue | 2025-02-21 | N/A | 4.1 MEDIUM |
| In Progress® Telerik® Kendo UI for Vue versions v2.4.0 through v6.0.1, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection. | |||||
| CVE-2024-12629 | 1 Telerik | 1 Kendoreact | 2025-02-20 | N/A | 4.1 MEDIUM |
| In Progress® Telerik® KendoReact versions v3.5.0 through v9.4.0, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection. | |||||
| CVE-2023-0842 | 1 Xml2js Project | 1 Xml2js | 2025-02-13 | N/A | 5.3 MEDIUM |
| xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited. | |||||
| CVE-2023-26121 | 1 Safe-eval Project | 1 Safe-eval | 2025-02-10 | N/A | 7.5 HIGH |
| All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content. | |||||
| CVE-2023-26122 | 1 Safe-eval Project | 1 Safe-eval | 2025-02-07 | N/A | 8.8 HIGH |
| All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). **Vulnerable functions:** __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf(). | |||||
| CVE-2024-57084 | 2025-02-07 | N/A | 7.5 HIGH | ||
| A prototype pollution in the function lib.parse of dot-properties v1.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57086 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the function fieldsToJson of node-opcua-alarm-condition v2.134.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57080 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.install function of vxe-table v4.8.10 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57071 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.combine function of php-parser v3.2.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57069 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib function of expand-object v0.4.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57078 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.merge function of cli-util v1.1.27 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57072 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.requireFromString function of module-from-string v3.3.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57067 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.parse function of dot-qs v0.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57066 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57065 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.createPath function of utile v0.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57063 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib function of php-date-formatter v1.3.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2023-30533 | 1 Sheetjs | 1 Sheetjs | 2025-02-04 | N/A | 7.8 HIGH |
| SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected. | |||||