CVE-2026-15187
Deferred Deferred - Pending Action

Prototype Pollution in Enquirer via Public API

Vulnerability report for CVE-2026-15187, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VulDB

Description

A security flaw has been discovered in enquirer up to 2.4.1. Affected is the function Enquirer.set of the component Public Package API. The manipulation of the argument question.name results in improperly controlled modification of object prototype attributes. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
enquirer enquirer to 2.4.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a prototype pollution flaw in the Enquirer library up to version 2.4.1. It occurs when the function Enquirer.set processes the argument question.name without proper validation. If an attacker supplies a question.name containing dangerous path segments like __proto__, constructor, or prototype, they can manipulate the Object.prototype. This means the attacker can modify fundamental JavaScript object properties remotely through the public API.

Such manipulation can lead to logic corruption, denial of service, unsafe property resolution, or further exploitation depending on how the application uses the Enquirer library.

Impact Analysis

The impact of this vulnerability includes the potential for attackers to corrupt application logic or cause denial of service by altering the prototype of JavaScript objects. This can lead to unexpected behavior in applications using the Enquirer library, potentially allowing attackers to bypass security controls or cause the application to malfunction.

Detection Guidance

This vulnerability involves prototype pollution through the manipulation of the argument question.name in the Enquirer library. Detection involves checking if any usage of Enquirer prompts includes dangerous path segments such as '__proto__', 'constructor', or 'prototype' in the question.name parameter.

You can detect attempts to exploit this vulnerability by monitoring logs or input data for suspicious prompt names containing these dangerous segments.

Since Enquirer is a Node.js library, you can search your codebase or runtime environment for usage of Enquirer prompts with potentially dangerous names.

  • Use grep or similar tools to find occurrences of '__proto__', 'constructor', or 'prototype' in your code or input data, for example: grep -r "__proto__" ./
  • Monitor network traffic or application logs for prompt names containing these segments.
  • Add runtime checks or logging in your application to detect if question.name contains dangerous path segments before passing to Enquirer.
Mitigation Strategies

The immediate mitigation step is to reject or sanitize any prompt names (question.name) that contain dangerous path segments such as '__proto__', 'constructor', or 'prototype' before they are processed by Enquirer.

Ensure that your application or any code using Enquirer validates input to prevent prototype pollution.

Update Enquirer to a version where this issue is fixed or apply patches that prevent nested writes to dangerous prototype properties.

If an update is not immediately available, implement input validation or filtering to block or sanitize malicious input.

Compliance Impact

The vulnerability in Enquirer allows prototype pollution via manipulation of the question.name argument, which can lead to logic corruption, denial of service, or further exploitation depending on the application.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, such a vulnerability could potentially impact compliance if exploited to compromise data integrity, availability, or security in systems handling sensitive personal or health information.

Specifically, unauthorized modification of object prototypes could lead to unexpected behavior or security breaches, which may violate requirements for data protection, system integrity, and incident response mandated by these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15187. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart