{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3884", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2026-03-10T15:23:07.934Z", "datePublished": "2026-03-11T05:00:09.279Z", "dateUpdated": "2026-03-11T15:45:37.336Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P"}, "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"}}], "credits": [{"value": "Eric Cornelissen", "lang": "en"}, {"value": "Samuel Kajava", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (XSS)", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-03-11T05:00:09.279Z"}, "descriptions": [{"value": "Versions of the package spin.js before 3.0.0 are vulnerable to Cross-site Scripting (XSS) via the spin() function that allows a creation of more than 1 alert for each 'target' element. An attacker would need to set an arbitrary key-value pair on Object.prototype through a crafted URL achieving a prototype pollution first, before being able to execute arbitrary JavaScript in the context of the user's browser.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-SPINJS-15445079"}, {"url": "https://gist.github.com/ericcornelissen/1a73e28fa50c3009b0eb51ad2fc19f25"}], "affected": [{"product": "spin.js", "versions": [{"version": "0", "lessThan": "3.0.0", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T15:45:30.596227Z", "id": "CVE-2026-3884", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:45:37.336Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3884", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2026-03-10T15:23:07.934Z", "datePublished": "2026-03-11T05:00:09.279Z", "dateUpdated": "2026-03-11T15:45:37.336Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P"}, "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"}}], "credits": [{"value": "Eric Cornelissen", "lang": "en"}, {"value": "Samuel Kajava", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (XSS)", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-03-11T05:00:09.279Z"}, "descriptions": [{"value": "Versions of the package spin.js before 3.0.0 are vulnerable to Cross-site Scripting (XSS) via the spin() function that allows a creation of more than 1 alert for each 'target' element. An attacker would need to set an arbitrary key-value pair on Object.prototype through a crafted URL achieving a prototype pollution first, before being able to execute arbitrary JavaScript in the context of the user's browser.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-SPINJS-15445079"}, {"url": "https://gist.github.com/ericcornelissen/1a73e28fa50c3009b0eb51ad2fc19f25"}], "affected": [{"product": "spin.js", "versions": [{"version": "0", "lessThan": "3.0.0", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3884", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T15:45:30.596227Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:45:34.043Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:spin.js:spin.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "CED05130-432C-43B1-B388-53129997F97F", "versionEndExcluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package spin.js before 3.0.0 are vulnerable to Cross-site Scripting (XSS) via the spin() function that allows a creation of more than 1 alert for each 'target' element. An attacker would need to set an arbitrary key-value pair on Object.prototype through a crafted URL achieving a prototype pollution first, before being able to execute arbitrary JavaScript in the context of the user's browser."}, {"lang": "es", "value": "Las versiones del paquete spin.js anteriores a la 3.0.0 son vulnerables a Cross-site Scripting (XSS) a trav\u00e9s de la funci\u00f3n spin() que permite la creaci\u00f3n de m\u00e1s de 1 alerta por cada elemento 'target'. Un atacante necesitar\u00eda establecer un par clave-valor arbitrario en Object.prototype a trav\u00e9s de una URL manipulada, logrando primero una contaminaci\u00f3n de prototipos, antes de poder ejecutar JavaScript arbitrario en el contexto del navegador del usuario."}], "id": "CVE-2026-3884", "lastModified": "2026-05-07T18:08:05.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "report@snyk.io", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2026-03-11T06:17:15.183", "references": [{"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://gist.github.com/ericcornelissen/1a73e28fa50c3009b0eb51ad2fc19f25"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-SPINJS-15445079"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "report@snyk.io", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "spin.js", "source": "cna", "vendor": "n/a"}, "product": "spin.js", "vendor": "fgnass"}], "analysis": {"en": {"generated_at": "2026-03-17T16:38:10.225425+00:00", "value": {"mitigation_remediation": ["Upgrade spin.js to version 3.0.0 or later"], "summary": {"action": "Patch Upgrade", "impact": "Cross-site Scripting \u2013 arbitrary JavaScript execution in the user\u2019s browser"}, "threat_synthesis": {"affected_systems": "Any project that includes the outdated spin.js package, specifically all releases prior to 3.0.0. No precise version list is supplied by the CNA data, but all versions before 3.0.0 are affected according to the description.", "description_and_impact": "This vulnerability allows the creation of multiple alert() calls per target element when using spin() in spin.js. An attacker can inject arbitrary JavaScript into the user's browser context. The weakness is a classic Cross\u2011Site Scripting flaw (CWE\u201179). To trigger the flaw, the attacker must first manipulate Object.prototype by setting an arbitrary key\u2011value pair, a form of prototype pollution, through a crafted URL. Once prototype pollution is achieved, the spin() function\u2019s misuse permits execution of malicious scripts.", "risk_and_exploitability": "The CVSS score of 5.1 indicates a moderate severity. EPSS is less than 1\u202f%, suggesting that exploitation likelihood is low, and the vulnerability has not been cataloged as a known exploited vulnerability (not in KEV). The exploitation route requires both prototype pollution and the use of spin(), meaning an attacker must craft a URL to manipulate Object.prototype before triggering the XSS. Given these prerequisites, the risk to a typical deployment is moderate but not negligible. Monitoring for related exploit activity and ensuring mitigation is recommended."}}}}, "created": "2026-03-11T11:37:57.746271+00:00", "title": "Cross\u2011Site Scripting Vulnerability in spin.js via Prototype Pollution and Duplicate Alert Creation", "updated": "2026-03-20T14:37:55.770457+00:00", "vendors": ["fgnass", "fgnass$PRODUCT$spin.js"]}