{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6621", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-19T16:26:25.296Z", "datePublished": "2026-04-20T08:30:14.457Z", "dateUpdated": "2026-04-20T15:33:04.684Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T08:30:14.457Z"}, "title": "1024bit extend-deep index.js prototype pollution", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1321", "lang": "en", "description": "Improperly Controlled Modification of Object Prototype Attributes"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "1024bit", "product": "extend-deep", "versions": [{"version": "0.1.0", "status": "affected"}, {"version": "0.1.1", "status": "affected"}, {"version": "0.1.2", "status": "affected"}, {"version": "0.1.3", "status": "affected"}, {"version": "0.1.4", "status": "affected"}, {"version": "0.1.5", "status": "affected"}, {"version": "0.1.6", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an unknown function of the file index.js. This manipulation of the argument __proto__ causes improperly controlled modification of object prototype attributes. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The code repository of the project has not been active for many years."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-19T18:31:34.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "sudosme (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358256", "name": "VDB-358256 | 1024bit extend-deep index.js prototype pollution", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358256/cti", "name": "VDB-358256 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/792387", "name": "Submit #792387 | 1024bit extend-deep 0.1.6 Prototype Pollution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/sudo-secure/security-research/blob/main/extend-deep/prototype-pollution/PoC.md", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T15:32:28.916284Z", "id": "CVE-2026-6621", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:33:04.684Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6621", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T15:32:28.916284Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:32:54.251Z"}}], "cna": {"title": "1024bit extend-deep index.js prototype pollution", "credits": [{"lang": "en", "type": "reporter", "value": "sudosme (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "1024bit", "product": "extend-deep", "versions": [{"status": "affected", "version": "0.1.0"}, {"status": "affected", "version": "0.1.1"}, {"status": "affected", "version": "0.1.2"}, {"status": "affected", "version": "0.1.3"}, {"status": "affected", "version": "0.1.4"}, {"status": "affected", "version": "0.1.5"}, {"status": "affected", "version": "0.1.6"}]}], "timeline": [{"lang": "en", "time": "2026-04-19T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-19T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-19T18:31:34.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/358256", "name": "VDB-358256 | 1024bit extend-deep index.js prototype pollution", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358256/cti", "name": "VDB-358256 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/792387", "name": "Submit #792387 | 1024bit extend-deep 0.1.6 Prototype Pollution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/sudo-secure/security-research/blob/main/extend-deep/prototype-pollution/PoC.md", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an unknown function of the file index.js. This manipulation of the argument __proto__ causes improperly controlled modification of object prototype attributes. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The code repository of the project has not been active for many years."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "Improperly Controlled Modification of Object Prototype Attributes"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T08:30:14.457Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6621", "state": "PUBLISHED", "dateUpdated": "2026-04-20T15:33:04.684Z", "dateReserved": "2026-04-19T16:26:25.296Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-20T08:30:14.457Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an unknown function of the file index.js. This manipulation of the argument __proto__ causes improperly controlled modification of object prototype attributes. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The code repository of the project has not been active for many years."}], "id": "CVE-2026-6621", "lastModified": "2026-04-20T09:16:10.170", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T09:16:10.170", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/sudo-secure/security-research/blob/main/extend-deep/prototype-pollution/PoC.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/792387"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358256"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358256/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-1321"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.1.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.1.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.1.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.1.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.1.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.1.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.1.6"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "extend-deep", "source": "cna", "vendor": "1024bit"}, "product": "extend-deep", "vendor": "1024bit"}], "analysis": {"en": {"generated_at": "2026-04-20T09:50:35.110262+00:00", "value": {"mitigation_remediation": ["Upgrade the extend\u2011deep package to the latest version that removes the prototype\u2011pollution flaw.", "If upgrading is not immediately possible, monitor incoming arguments and sanitize any __proto__ properties before passing them to the library.", "Consider replacing or removing the extend\u2011deep dependency, especially if it handles untrusted input."], "summary": {"action": "Patch", "impact": "Prototype Pollution enabling potential Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The library 1024bit extend\u2011deep is affected, with all releases up to and including version 0.1.6. Any application that imports or uses this module without upgrading is potentially vulnerable.", "description_and_impact": "A flaw in the index.js file of the 1024bit extend-deep library allows an attacker to manipulate the __proto__ property of objects. This leads to prototype pollution, where malicious values can overwrite properties on JavaScript prototypes. The result can be arbitrary code execution or other damaging changes to application state. The vulnerability is classified as CWE\u20111321 and involves unsafe execution paths associated with CWE\u201194. The exact source of malicious payload is not disclosed, but it is inferred that an attacker could trigger the flaw remotely by sending crafted input to the vulnerable function.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate to high severity. No EPSS data is available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Publicly disclosed exploits exist, and remote exploitation is possible when untrusted data flows into the vulnerable function. Attackers can likely trigger the flaw through network\u2011based inputs or by including malicious payloads when the library is executed in a web environment. The likely attack vector is remote via network inputs or included malicious payloads, which is inferred rather than directly stated."}}}}, "created": "2026-04-20T10:00:03.963560+00:00", "updated": "2026-04-20T14:57:59.430950+00:00", "vendors": ["1024bit", "1024bit$PRODUCT$extend-deep"]}