{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1774", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-02-02T17:01:20.831Z", "datePublished": "2026-02-10T15:38:03.265Z", "dateUpdated": "2026-02-11T14:44:50.765Z"}, "containers": {"cna": {"title": "CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability.", "descriptions": [{"lang": "en", "value": "CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "CASL Ability", "product": "CASL Ability", "versions": [{"status": "affected", "version": "2.4.0", "lessThanOrEqual": "6.7.4", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "references": [{"url": "https://github.com/stalniy/casl/tree/master/packages/casl-ability"}, {"url": "https://cwe.mitre.org/data/definitions/1321.html"}, {"url": "https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution"}], "x_generator": {"engine": "VINCE 3.0.31", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-1774"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-02-10T15:59:23.902Z"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/458422"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-10T16:22:54.320Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T14:43:52.840334Z", "id": "CVE-2026-1774", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T14:44:50.765Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/458422"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-10T16:22:54.320Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1774", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T14:43:52.840334Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T14:44:44.122Z"}}], "cna": {"title": "CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability.", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "CASL Ability", "product": "CASL Ability", "versions": [{"status": "affected", "version": "2.4.0", "versionType": "custom", "lessThanOrEqual": "6.7.4"}]}], "references": [{"url": "https://github.com/stalniy/casl/tree/master/packages/casl-ability"}, {"url": "https://cwe.mitre.org/data/definitions/1321.html"}, {"url": "https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.31", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-1774"}, "descriptions": [{"lang": "en", "value": "CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-02-10T15:59:23.902Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1774", "state": "PUBLISHED", "dateUpdated": "2026-02-11T14:44:50.765Z", "dateReserved": "2026-02-02T17:01:20.831Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-02-10T15:38:03.265Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability."}, {"lang": "es", "value": "CASL Ability, versiones 2.4.0 a 6.7.4, contiene una vulnerabilidad de contaminaci\u00f3n de prototipos."}], "id": "CVE-2026-1774", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-10T16:16:10.740", "references": [{"source": "cret@cert.org", "url": "https://cwe.mitre.org/data/definitions/1321.html"}, {"source": "cret@cert.org", "url": "https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution"}, {"source": "cret@cert.org", "url": "https://github.com/stalniy/casl/tree/master/packages/casl-ability"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.kb.cert.org/vuls/id/458422"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Deferred"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.4.0,6.7.4]"}}], "product": "casl_ability", "vendor": "casl_ability"}], "analysis": {"en": {"generated_at": "2026-04-17T20:47:56.027047+00:00", "value": {"mitigation_remediation": ["Implement the latest patch or upgrade to a version of CASL Ability later than 6.7.4.", "If an upgrade cannot be performed immediately, consider replacing or isolating the vulnerable CASL Ability package in the dependency tree and removing unneeded features or modules that depend on it.", "Add runtime checks to validate and sanitize any data that influences prototype properties, and restrict the use of shared prototypes in the application."], "summary": {"action": "Patch", "impact": "Prototype Pollution"}, "threat_synthesis": {"affected_systems": "The affected product is CASL Ability, a JavaScript authorization library. The vulnerable releases span from 2.4.0 up to and including 6.7.4. Users employing any of these versions are potentially at risk; the product should be treated as compromised until a neutralized version is deployed.", "description_and_impact": "CASL Ability versions 2.4.0 through 6.7.4 include a prototype pollution flaw that allows attackers to write arbitrary properties onto shared object prototypes. This can lead to subtle changes in application logic, potential denial of service, or more severe consequences if the polluted properties influence control flow or authentication checks. The vulnerability is a classic example of CWE\u20111321: Prototype Pollution.", "risk_and_exploitability": "The advisory rates the issue with a CVSS score of 9.8, indicating high severity. EPSS indicates a very low but non\u2011zero likelihood of exploitation at the current time, and the vulnerability is not listed in the CISA KEV catalog. The most probable attack vector is through web application code that loads the library or accepts user input that is processed by it, allowing an attacker to inject malicious prototype modifications. Because prototype pollution can affect globally shared objects, a successful exploit could bypass access controls or corrupt application state."}}}}, "created": "2026-02-10T21:42:11.106848+00:00", "updated": "2026-04-17T21:00:12.682794+00:00", "vendors": ["casl_ability", "casl_ability$PRODUCT$casl_ability"], "weaknesses": ["CWE-1321"]}