{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27212", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-18T19:47:02.156Z", "datePublished": "2026-02-21T05:43:07.072Z", "dateUpdated": "2026-02-24T18:53:04.131Z"}, "containers": {"cna": {"title": "Swiper has a Prototype Pollution Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/nolimits4web/swiper/security/advisories/GHSA-hmx5-qpq5-p643", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nolimits4web/swiper/security/advisories/GHSA-hmx5-qpq5-p643"}, {"name": "https://github.com/nolimits4web/swiper/commit/d3e663322a13043ca63aaba235d8cf3900e0c8cf", "tags": ["x_refsource_MISC"], "url": "https://github.com/nolimits4web/swiper/commit/d3e663322a13043ca63aaba235d8cf3900e0c8cf"}, {"name": "https://github.com/nolimits4web/swiper/releases/tag/v12.1.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/nolimits4web/swiper/releases/tag/v12.1.2"}], "affected": [{"vendor": "nolimits4web", "product": "swiper", "versions": [{"version": ">= 6.5.1, < 12.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T05:43:07.072Z"}, "descriptions": [{"lang": "en", "value": "Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check whether user provided input contain forbidden strings. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. Any application that processes attacker-controlled input using this package may be affected by the following: Authentication Bypass, Denial of Service and RCE. This issue is fixed in version 12.1.2."}], "source": {"advisory": "GHSA-hmx5-qpq5-p643", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T18:52:46.035771Z", "id": "CVE-2026-27212", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:53:04.131Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27212", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T18:52:46.035771Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:52:57.132Z"}}], "cna": {"title": "Swiper has a Prototype Pollution Vulnerability", "source": {"advisory": "GHSA-hmx5-qpq5-p643", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nolimits4web", "product": "swiper", "versions": [{"status": "affected", "version": ">= 6.5.1, < 12.1.2"}]}], "references": [{"url": "https://github.com/nolimits4web/swiper/security/advisories/GHSA-hmx5-qpq5-p643", "name": "https://github.com/nolimits4web/swiper/security/advisories/GHSA-hmx5-qpq5-p643", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nolimits4web/swiper/commit/d3e663322a13043ca63aaba235d8cf3900e0c8cf", "name": "https://github.com/nolimits4web/swiper/commit/d3e663322a13043ca63aaba235d8cf3900e0c8cf", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nolimits4web/swiper/releases/tag/v12.1.2", "name": "https://github.com/nolimits4web/swiper/releases/tag/v12.1.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check whether user provided input contain forbidden strings. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. Any application that processes attacker-controlled input using this package may be affected by the following: Authentication Bypass, Denial of Service and RCE. This issue is fixed in version 12.1.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T05:43:07.072Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27212", "state": "PUBLISHED", "dateUpdated": "2026-02-24T18:53:04.131Z", "dateReserved": "2026-02-18T19:47:02.156Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-21T05:43:07.072Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:swiperjs:swiper:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "649D66EB-A502-4668-92D9-0534432DBFF0", "versionEndExcluding": "12.1.2", "versionStartIncluding": "6.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check whether user provided input contain forbidden strings. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. Any application that processes attacker-controlled input using this package may be affected by the following: Authentication Bypass, Denial of Service and RCE. This issue is fixed in version 12.1.2."}], "id": "CVE-2026-27212", "lastModified": "2026-02-24T15:16:56.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-21T06:17:01.443", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nolimits4web/swiper/commit/d3e663322a13043ca63aaba235d8cf3900e0c8cf"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/nolimits4web/swiper/releases/tag/v12.1.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nolimits4web/swiper/security/advisories/GHSA-hmx5-qpq5-p643"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.5.1,12.1.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "swiper", "source": "cna", "vendor": "nolimits4web"}, "product": "swiper", "vendor": "nolimits4web"}], "analysis": {"en": {"generated_at": "2026-04-17T16:52:14.306416+00:00", "value": {"mitigation_remediation": ["Upgrade Swiper to version 12.1.2 or later.", "Remove or replace any dependencies on Swiper versions 6.5.1 through 12.1.1 from all projects.", "Restrict user input supplied to Swiper configurations, avoiding objects that contain Array.prototype or other prototype\u2011modifying keys."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected software is the Swiper library from nolimits4web, deployed in Node.js and Bun environments on Windows and Linux. Versions between 6.5.1 and 12.1.1 are vulnerable; the fix is released in version 12.1.2.", "description_and_impact": "The vulnerability is a prototype pollution flaw in Swiper versions 6.5.1 through 12.1.1, located in shared/utils.mjs where an indexOf check fails to block user\u2011supplied keys that can overwrite Object.prototype. The flaw gives an attacker the ability to manipulate the global prototype chain, potentially leading to authentication bypass, denial of service, and remote code execution in any application that consumes attacker\u2011controlled input through this library.", "risk_and_exploitability": "With a CVSS score of 9.4 the vulnerability is considered critical. Although the EPSS score is under 1% indicating a low overall risk of discovery, the impact is severe, and the flaw is not listed in the CISA KEV catalog. An attacker who can supply crafted input to a Swiper\u2011dependent application can pollute Object.prototype and achieve remote code execution; the attack vector relies on application exposure to untrusted data rather than network\u2011level exploitation."}}}}, "created": "2026-02-23T14:32:34.044556+00:00", "updated": "2026-04-17T17:00:10.178847+00:00", "vendors": ["nolimits4web", "nolimits4web$PRODUCT$swiper"]}