CVE-2026-26021
Analyzed Analyzed - Analysis Complete
Prototype Pollution in set-in npm Package Allows Object Manipulation

Publication date: 2026-02-11

Last updated on: 2026-02-13

Assigner: GitHub, Inc.

Description
set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-13
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26021
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
set-in_project set-in From 2.0.1 (inc) to 2.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability is a prototype pollution issue in the npm package set-in versions 2.0.1 to before 2.0.5. The package provides functionality to set values in nested associative structures using an array of keys. Despite a previous fix that tried to prevent prototype pollution by blocking certain forbidden keys, attackers can still exploit the vulnerability by crafting inputs that use Array.prototype to pollute Object.prototype.

Impact Analysis

This vulnerability can allow an attacker to modify the Object.prototype, which can lead to unexpected behavior in applications using the set-in package. Such prototype pollution can cause security issues like privilege escalation, denial of service, or arbitrary code execution depending on how the polluted prototype is used in the application.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this prototype pollution vulnerability in the npm package set-in, you should upgrade the package to version 2.0.5 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26021. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart