Total
369 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-25977 | 1 Canvg | 1 Canvg | 2025-03-25 | 9.8 Critical |
| An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement. | ||||
| CVE-2024-57077 | 2025-03-24 | 9.1 Critical | ||
| The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. | ||||
| CVE-2024-2495 | 1 Friendlyelec | 1 Friendlywrt | 2025-03-24 | 5.2 Medium |
| Cryptographic key vulnerability encoded in the FriendlyWrt firmware affecting version 2022-11-16.51b3d35. This vulnerability could allow an attacker to compromise the confidentiality and integrity of encrypted data. | ||||
| CVE-2025-25975 | 2025-03-19 | 7.5 High | ||
| An issue in parse-git-config v.3.0.0 allows an attacker to obtain sensitive information via the expandKeys function | ||||
| CVE-2023-23917 | 1 Rocket.chat | 1 Rocket.chat | 2025-03-12 | 8.8 High |
| A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin account. Any user can create their own server in your cloud and become an admin so this vulnerability could affect the cloud infrastructure. This attack vector also may increase the impact of XSS to RCE which is dangerous for self-hosted users as well. | ||||
| CVE-2022-3901 | 1 Visioglobe | 1 Visioweb | 2025-03-12 | 7.2 High |
| Prototype Pollution in Visioweb.js 1.10.6 allows attackers to execute XSS on the client system. | ||||
| CVE-2023-26102 | 1 Rangy Project | 1 Rangy | 2025-03-11 | 7.5 High |
| All versions of the package rangy are vulnerable to Prototype Pollution when using the extend() function in file rangy-core.js.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype | ||||
| CVE-2023-26105 | 1 Utilities Project | 1 Utilities | 2025-03-11 | 7.5 High |
| All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function. | ||||
| CVE-2022-29823 | 1 Feathersjs | 1 Feathers-sequelize | 2025-03-11 | 10 Critical |
| Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application. | ||||
| CVE-2024-57064 | 2025-03-10 | 7.5 High | ||
| A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. NOTE: the Supplier disputes this because they found that the lib.setValue function is not utilized. | ||||
| CVE-2025-27597 | 2025-03-07 | N/A | ||
| Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context. | ||||
| CVE-2025-25015 | 2025-03-06 | 9.9 Critical | ||
| Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors | ||||
| CVE-2023-26106 | 1 Dot-lens Project | 1 Dot-lens | 2025-03-05 | 7.5 High |
| All versions of the package dot-lens are vulnerable to Prototype Pollution via the set() function in index.js file. | ||||
| CVE-2020-7709 | 1 Manuelstofer | 1 Json-pointer | 2025-03-05 | 6 Medium |
| This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported. | ||||
| CVE-2023-26113 | 1 Collection.js Project | 1 Collection.js | 2025-02-26 | 7.5 High |
| Versions of the package collection.js before 6.8.1 are vulnerable to Prototype Pollution via the extend function in Collection.js/dist/node/iterators/extend.js. | ||||
| CVE-2024-11628 | 1 Telerik | 1 Kendo Ui For Vue | 2025-02-21 | 4.1 Medium |
| In Progress® Telerik® Kendo UI for Vue versions v2.4.0 through v6.0.1, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection. | ||||
| CVE-2024-12629 | 1 Telerik | 1 Kendoreact | 2025-02-20 | 4.1 Medium |
| In Progress® Telerik® KendoReact versions v3.5.0 through v9.4.0, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection. | ||||
| CVE-2022-36059 | 2 Matrix, Redhat | 4 Javascript Sdk, Enterprise Linux, Rhel E4s and 1 more | 2025-02-18 | 8.2 High |
| matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible. | ||||
| CVE-2023-28427 | 2 Matrix, Redhat | 6 Javascript Sdk, Enterprise Linux, Rhel Aus and 3 more | 2025-02-18 | 8.2 High |
| matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2022-36060 | 1 Matrix | 1 React Sdk | 2025-02-18 | 8.2 High |
| matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered. This issue has been fixed in matrix-react-sdk 3.53.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||