CVE-2026-26021
Analyzed Analyzed - Analysis Complete
Prototype Pollution in set-in npm Package Allows Object Manipulation

Publication date: 2026-02-11

Last updated on: 2026-02-13

Assigner: GitHub, Inc.

Description
set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-13
Generated
2026-05-07
AI Q&A
2026-02-12
EPSS Evaluated
2026-05-05
NVD
CVE-2026-26021
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
set-in_project set-in From 2.0.1 (inc) to 2.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability is a prototype pollution issue in the npm package set-in versions 2.0.1 to before 2.0.5. The package provides functionality to set values in nested associative structures using an array of keys. Despite a previous fix that tried to prevent prototype pollution by blocking certain forbidden keys, attackers can still exploit the vulnerability by crafting inputs that use Array.prototype to pollute Object.prototype.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to modify the Object.prototype, which can lead to unexpected behavior in applications using the set-in package. Such prototype pollution can cause security issues like privilege escalation, denial of service, or arbitrary code execution depending on how the polluted prototype is used in the application.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this prototype pollution vulnerability in the npm package set-in, you should upgrade the package to version 2.0.5 or later, where the issue has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart