Total
377 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26121 | 1 Safe-eval Project | 1 Safe-eval | 2025-02-10 | N/A | 7.5 HIGH |
| All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content. | |||||
| CVE-2023-26122 | 1 Safe-eval Project | 1 Safe-eval | 2025-02-07 | N/A | 8.8 HIGH |
| All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). **Vulnerable functions:** __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf(). | |||||
| CVE-2024-57084 | 2025-02-07 | N/A | 7.5 HIGH | ||
| A prototype pollution in the function lib.parse of dot-properties v1.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57086 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the function fieldsToJson of node-opcua-alarm-condition v2.134.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57080 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.install function of vxe-table v4.8.10 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57071 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.combine function of php-parser v3.2.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57069 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib function of expand-object v0.4.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57078 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.merge function of cli-util v1.1.27 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57072 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.requireFromString function of module-from-string v3.3.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57067 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.parse function of dot-qs v0.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57066 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57065 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib.createPath function of utile v0.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2024-57063 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A prototype pollution in the lib function of php-date-formatter v1.3.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2023-30533 | 1 Sheetjs | 1 Sheetjs | 2025-02-04 | N/A | 7.8 HIGH |
| SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected. | |||||
| CVE-2023-30363 | 1 Tencent | 1 Vconsole | 2025-02-03 | N/A | 9.8 CRITICAL |
| vConsole v3.15.0 was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts. | |||||
| CVE-2024-54156 | 1 Jetbrains | 1 Youtrack | 2025-01-30 | N/A | 4.2 MEDIUM |
| In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack | |||||
| CVE-2023-2582 | 1 Strikingly | 1 Strikingly | 2025-01-28 | N/A | 6.1 MEDIUM |
| A prototype pollution vulnerability exists in Strikingly CMS which can result in reflected cross-site scripting (XSS) in affected applications and sites built with Strikingly. The vulnerability exists because of Strikingly JavaScript library parsing the URL fragment allows access to the __proto__ or constructor properties and the Object prototype. By leveraging an embedded gadget like jQuery, an attacker who convinces a victim to visit a specially crafted link could achieve arbitrary javascript execution in the context of the user's browser. | |||||
| CVE-2021-3918 | 2 Debian, Json-schema Project | 2 Debian Linux, Json-schema | 2025-01-17 | 7.5 HIGH | 9.8 CRITICAL |
| json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | |||||
| CVE-2024-34698 | 1 Freescout | 1 Freescout | 2025-01-10 | N/A | 4.6 MEDIUM |
| FreeScout is a free, self-hosted help desk and shared mailbox. Versions of FreeScout prior to 1.8.139 contain a Prototype Pollution vulnerability in the `/public/js/main.js` source file. The Prototype Pollution arises because the `getQueryParam` Function recursively merges an object containing user-controllable properties into an existing object (For URL Query Parameters Parsing), without first sanitizing the keys. This can allow an attacker to inject a property with a key `__proto__`, along with arbitrarily nested properties. The merge operation assigns the nested properties to the `params` object's prototype instead of the target object itself. As a result, the attacker can pollute the prototype with properties containing harmful values, which are then inherited by user-defined objects and subsequently used by the application dangerously. The vulnerability lets an attacker control properties of objects that would otherwise be inaccessible. If the application subsequently handles an attacker-controlled property in an unsafe way, this can potentially be chained with other vulnerabilities like DOM-based XSS, Open Redirection, Cookie Manipulation, Link Manipulation, HTML Injection, etc. Version 1.8.139 contains a patch for the issue. | |||||
| CVE-2023-26133 | 1 Progressbar.js Project | 1 Progressbar.js | 2025-01-06 | N/A | 8.2 HIGH |
| All versions of the package progressbar.js are vulnerable to Prototype Pollution via the function extend() in the file utils.js. | |||||