QSearchQSearch

CVE-2021-39227

6.2 MEDIUM

ZRender is a lightweight graphic library providing 2d draw for Apache ECharts

Published: 2021-09-17 · Last updated: 2026-06-17

Severity and scoring

CVSS
6.2 MEDIUM
Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
CWE-1321

Affected products

VendorProduct
baiduzrender

Description

ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1. One workaround is available: Check if there is `__proto__` in the object keys. Omit it before using it as an parameter in these affected methods. Or in `echarts.util.merge` and `setOption` if project is using ECharts.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-48714 i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno (9.1 CRITICAL)
  • CVE-2026-48713 Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation ke... (9.1 CRITICAL)
  • CVE-2026-12209 A security vulnerability has been detected in RubyLouvre avalon up to 2.2.10 (5.3 MEDIUM)
  • CVE-2026-12208 A weakness has been identified in jsonata-js jsonata up to 2.2.0 (5.3 MEDIUM)
  • CVE-2026-53609 ApostropheCMS is an open-source Node.js content management system (9.1 CRITICAL)