Main Vulnerability Database SB2026040246

SB2026040246 - Prototype pollution in Immutable.js

Published: April 2, 2026

Security Bulletin ID SB2026040246

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Prototype pollution (CVE-ID: CVE-2026-29063)

The vulnerability allows a remote attacker to modify object prototype attributes in affected JavaScript objects.

The vulnerability exists due to improper input validation in the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() functions when processing user-supplied input containing __proto__ properties. A remote attacker can send a specially crafted object input to pollute the prototype of base objects, leading to unauthorized property injection and potential privilege escalation.

Prototype pollution occurs without affecting the global Object.prototype, but injected properties can still be accessed through object property lookups even if not visible via Object.keys().

Remediation

Install update from vendor's website.

References

https://github.com/advisories/GHSA-wf6x-7x77-mvgw