Prototype pollution in swiper - CVE-2026-27212
Published: May 27, 2026
Vulnerability identifier: #VU132346
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-27212
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Swiper
Affected software:
swiper
swiper
Detailed vulnerability description
The vulnerability allows a remote attacker to modify object prototypes.
The vulnerability exists due to improperly controlled modification of object prototype attributes in shared/utils.mjs extendDefaults handling when processing attacker-controlled input after Array.prototype.indexOf has been overwritten. A remote attacker can supply a crafted JSON object and overwrite the global Array.prototype.indexOf behavior to modify object prototypes.
The issue can be triggered across Windows and Linux on Node and Bun runtimes.
How to mitigate CVE-2026-27212
Install security update from vendor's website.