CVE-2026-6594
Received Received - Intake
Prototype Pollution Vulnerability in Brikcss Merge

Publication date: 2026-04-20

Last updated on: 2026-04-20

Assigner: VulDB

Description
A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6594
EUVD
EUVD-2026-23742
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
brikcss merge to 1.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in brikcss merge up to version 1.3.0 and involves manipulation of certain object prototype attributes through arguments like __proto__, constructor.prototype, or prototype. An attacker can exploit this by remotely manipulating these arguments, leading to improper modification of object prototype attributes.

Impact Analysis

Exploiting this vulnerability can allow an attacker to modify object prototype attributes in an uncontrolled manner, which may lead to unexpected behavior or security issues in applications using the affected software. Since the attack can be performed remotely without authentication, it poses a significant risk.

Compliance Impact

The CVE-2026-6594 vulnerability allows an attacker to perform prototype pollution, which can lead to privilege escalation, denial of service, unexpected application behavior, and potentially remote code execution. Such impacts can compromise the confidentiality, integrity, and availability of data handled by the affected application.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to escalate privileges or cause unauthorized behavior could lead to violations of these regulations, which require protection of personal and sensitive data.

Therefore, if the affected application processes regulated data, this vulnerability could negatively impact compliance by exposing data to unauthorized access or manipulation.

Detection Guidance

This vulnerability can be detected by testing whether the merge function in the @brikcss/merge package improperly modifies the Object.prototype. A practical detection method is to execute a test merge with an object containing the special key __proto__ and then check if the pollution has occurred.

  • Use a JavaScript environment to run the following test code:
  • const merge = require('@brikcss/merge');
  • const obj = merge({}, {"__proto__": {"polluted": true}});
  • console.log({}.polluted); // If true, the system is vulnerable

If the output is true, it confirms that the Object.prototype has been polluted, indicating the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable @brikcss/merge package version 1.3.0 or earlier, especially in environments exposed to untrusted input.

Since the vendor has not responded or provided a patch, consider the following actions:

  • Sanitize or validate all inputs to prevent untrusted objects containing __proto__, constructor.prototype, or prototype keys from being merged.
  • Implement runtime checks to detect prototype pollution attempts.
  • If possible, replace the vulnerable merge function with a safe alternative that does not merge special prototype keys.

Monitoring and restricting access to the affected functionality can also reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6594. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart