CVE-2026-46509

8.2 HIGH

deepobj provides get, set, delete deep objects in javascript

Published: 2026-05-28 · Last updated: 2026-06-01

Severity and scoring

CVSS: 8.2 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
CWE: CWE-1321

Description

deepobj provides get, set, delete deep objects in javascript. Prior to 1.0.3, prototype pollution is possible when property paths contain __proto__/constructor/prototype. The property path must not be exposed as user input. This vulnerability is fixed in 1.0.3.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-46625 — JavaScript Cookie is a JavaScript API for handling cookies, client-side (7.5 HIGH)
CVE-2026-45302 — parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays (8.2 HIGH)
CVE-2026-46510 — form-data-objectizer converts FormData to object (8.2 HIGH)
CVE-2026-44483 — RVF (formerly Remix Validated Form) provides easy form validation and state management for React (8.2 HIGH)
CVE-2026-44966 — Velocity.js is a JavaScript implementation of the Apache Velocity template engine (8.3 HIGH)