CVE-2026-6621
Received Received - Intake
Prototype Pollution in 1024bit extend-deep index.js Enables Remote Exploitation

Publication date: 2026-04-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an unknown function of the file index.js. This manipulation of the argument __proto__ causes improperly controlled modification of object prototype attributes. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The code repository of the project has not been active for many years.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6621
EUVD
EUVD-2026-23812
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the 1024bit extend-deep software up to version 0.1.6, specifically in an unknown function within the file index.js. It involves manipulation of the argument __proto__, which leads to improperly controlled modification of object prototype attributes. This flaw can be exploited remotely.

The vulnerability allows an attacker to alter the prototype of objects, potentially changing the behavior of the application in unintended ways.

Impact Analysis

Exploitation of this vulnerability can lead to unauthorized modification of object prototypes, which may result in unexpected application behavior, data corruption, or security bypasses.

Since the vulnerability can be exploited remotely without authentication or user interaction, it poses a significant risk to affected systems.

The CVSS scores indicate a medium to high severity, with impacts on confidentiality, integrity, and availability.

Compliance Impact

The vulnerability allows remote attackers to perform prototype pollution, which can lead to remote code execution, unexpected application behavior, bypassing security checks, and denial of service. Such impacts can compromise the confidentiality, integrity, and availability of data and systems.

Because of these security risks, affected systems may fail to meet compliance requirements of common standards and regulations like GDPR and HIPAA, which mandate protection of sensitive data and secure system operation.

However, the provided information does not explicitly state the direct effects on compliance with these standards.

Detection Guidance

This vulnerability can be detected by testing whether the extend-deep package version 0.1.6 in your system improperly merges objects containing the __proto__ property, leading to prototype pollution.

A practical approach is to run a proof of concept that merges a malicious object with a __proto__ property into a target object using extend-deep and then check if the polluted property appears on unrelated objects.

While specific commands are not provided, you can write a small JavaScript script that uses extend-deep to merge an object like { __proto__: { polluted: 'yes' } } into another object, then check if {}.polluted returns 'yes'.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable extend-deep package version 0.1.6, especially since the code repository has not been active for many years and no fixes are likely available.

Consider removing or replacing extend-deep with a maintained alternative that properly sanitizes the __proto__ property to prevent prototype pollution.

Additionally, review your application code to ensure it does not merge untrusted input objects that could contain __proto__ properties.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6621. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart