{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26021", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T21:36:29.554Z", "datePublished": "2026-02-11T21:18:50.084Z", "dateUpdated": "2026-02-12T21:16:04.618Z"}, "containers": {"cna": {"title": "Prototype pollution in set-in", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/ahdinosaur/set-in/security/advisories/GHSA-2c4m-g7rx-63q7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ahdinosaur/set-in/security/advisories/GHSA-2c4m-g7rx-63q7"}, {"name": "https://github.com/ahdinosaur/set-in/commit/b8e1dabfdbd35c8d604b6324e01d03f280256c3d", "tags": ["x_refsource_MISC"], "url": "https://github.com/ahdinosaur/set-in/commit/b8e1dabfdbd35c8d604b6324e01d03f280256c3d"}], "affected": [{"vendor": "ahdinosaur", "product": "set-in", "versions": [{"version": ">= 2.0.1, < 2.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-11T21:18:50.084Z"}, "descriptions": [{"lang": "en", "value": "set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5."}], "source": {"advisory": "GHSA-2c4m-g7rx-63q7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T21:15:49.981553Z", "id": "CVE-2026-26021", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:16:04.618Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26021", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-12T21:15:49.981553Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:15:58.717Z"}}], "cna": {"title": "Prototype pollution in set-in", "source": {"advisory": "GHSA-2c4m-g7rx-63q7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ahdinosaur", "product": "set-in", "versions": [{"status": "affected", "version": ">= 2.0.1, < 2.0.5"}]}], "references": [{"url": "https://github.com/ahdinosaur/set-in/security/advisories/GHSA-2c4m-g7rx-63q7", "name": "https://github.com/ahdinosaur/set-in/security/advisories/GHSA-2c4m-g7rx-63q7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ahdinosaur/set-in/commit/b8e1dabfdbd35c8d604b6324e01d03f280256c3d", "name": "https://github.com/ahdinosaur/set-in/commit/b8e1dabfdbd35c8d604b6324e01d03f280256c3d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-11T21:18:50.084Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26021", "state": "PUBLISHED", "dateUpdated": "2026-02-12T21:16:04.618Z", "dateReserved": "2026-02-09T21:36:29.554Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-11T21:18:50.084Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:set-in_project:set-in:*:*:*:*:*:*:*:*", "matchCriteriaId": "67272E90-9D93-4A5B-9060-3D84BA6E4A5F", "versionEndExcluding": "2.0.5", "versionStartIncluding": "2.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5."}], "id": "CVE-2026-26021", "lastModified": "2026-02-13T21:43:27.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-11T22:15:52.077", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ahdinosaur/set-in/commit/b8e1dabfdbd35c8d604b6324e01d03f280256c3d"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ahdinosaur/set-in/security/advisories/GHSA-2c4m-g7rx-63q7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.1,2.0.5)"}}], "product": "set-in", "vendor": "ahdinosaur"}], "analysis": {"en": {"generated_at": "2026-04-17T20:10:11.208772+00:00", "value": {"mitigation_remediation": ["Upgrade the set-in package to version 2.0.5 or later.", "Audit the dependency tree to identify and replace indirect uses of set-in that fall within the vulnerable range.", "As a temporary safeguard, validate all keys passed to set-in and reject array inputs or other constructs that could trigger prototype pollution."], "summary": {"action": "Immediate Patch", "impact": "Prototype pollution potentially enabling arbitrary code execution or privilege escalation"}, "threat_synthesis": {"affected_systems": "The affected vendor is ahdinosaur and the product is set-in, a Node.js utility for setting nested values in objects. Vulnerable versions include any release in the range 2.0.1 through 2.0.4. Projects that depend on these package versions, either directly or indirectly, are at risk. The fix is provided in version 2.0.5 and later.", "description_and_impact": "The vulnerability occurs in the npm package set-in (>=2.0.1, <2.0.5) and allows an attacker to pollute Object.prototype by supplying a crafted input that uses Array.prototype. The flaw is a prototype pollution weakness (CWE-1321) that can be exploited to alter built\u2011in prototypes, creating a foundation for subsequent attacks such as arbitrary code execution, malicious data manipulation, or privilege escalation. The impact is high because modifying Object.prototype affects every object in the JavaScript runtime, potentially compromising all code that runs in that process.", "risk_and_exploitability": "With a CVSS score of 9.4 the vulnerability is rated critical, while the EPSS score of less than 1% indicates a low current exploitation probability but that could change as attackers develop payloads. The vulnerability is not listed in the CISA KEV catalog. Attackers could invoke the flaw remotely by providing specially crafted input to set-in, such as an array payload that includes offending keys, thereby polluting prototypes in a running application. The flaw\u2019s remote nature means that any service receiving untrusted data through set-in could be compromised if not patched."}}}}, "created": "2026-02-12T09:03:14.257390+00:00", "updated": "2026-04-17T20:15:27.003125+00:00", "vendors": ["ahdinosaur", "ahdinosaur$PRODUCT$set-in"]}