CVE-2026-15538
Received Received - Intake

Prototype Pollution in PrimeReact API

Vulnerability report for CVE-2026-15538, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A weakness has been identified in primefaces primereact up to 10.9.8. This issue affects the function ObjectUtils.mutateFieldData of the component API. This manipulation of the argument Field causes improperly controlled modification of object prototype attributes. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet. This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
primefaces primereact to 10.9.8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows remote attackers to manipulate the Object.prototype via prototype pollution in the ObjectUtils.mutateFieldData function. This can lead to unauthorized modification of inherited properties, potentially affecting authorization, configuration, and control-flow checks.

Such unauthorized modifications could undermine security controls that are critical for compliance with standards like GDPR and HIPAA, which require protection of data integrity and access controls.

However, the vulnerability affects only unsupported versions of PrimeReact, and the project has not responded to the issue, which may increase risk if these versions are still in use in regulated environments.

Executive Summary

CVE-2026-15538 is a prototype pollution vulnerability in the ObjectUtils.mutateFieldData function of the primereact/utils package, specifically in version 10.9.8.

The vulnerability occurs when the 'field' argument contains prototype-related path segments such as '__proto__'. The function splits the field by dots and traverses the object path before assigning the value, which can inadvertently reach and modify Object.prototype.

This allows an attacker to manipulate the Object.prototype, causing newly created objects to inherit polluted properties. This can affect authorization, configuration, or control-flow checks that rely on inherited properties.

The suggested fix is to reject dangerous path segments like '__proto__', 'constructor', and 'prototype' at every nesting level before traversal or assignment, or to use own-property-only traversal semantics for safer nested writes.

Impact Analysis

This vulnerability can allow an attacker to remotely manipulate the Object.prototype, leading to prototype pollution.

As a result, newly created objects may inherit maliciously modified properties, which can impact authorization, configuration, feature flags, or control-flow checks that depend on these inherited properties.

Such manipulation can lead to unexpected behavior in applications, potentially allowing unauthorized access or bypassing security controls.

Detection Guidance

This vulnerability involves prototype pollution via the ObjectUtils.mutateFieldData function when the field argument contains prototype-related path segments such as __proto__, constructor, or prototype.

To detect this vulnerability on your system, you should check if your application uses PrimeReact version 10.9.8 or earlier and if it calls ObjectUtils.mutateFieldData with user-controllable input that could include dangerous path segments.

Since this is a code-level vulnerability, detection involves auditing your codebase for unsafe usage of mutateFieldData and scanning for suspicious payloads that include prototype pollution attempts.

  • Search your code for calls to ObjectUtils.mutateFieldData and verify if the field argument is sanitized.
  • Use grep or similar tools to find occurrences of '__proto__', 'constructor', or 'prototype' in inputs or logs that might indicate exploitation attempts.
  • Example command to find usage in code: grep -r 'mutateFieldData' ./
  • Example command to search logs for suspicious prototype pollution attempts: grep -rE '__proto__|constructor|prototype' /var/log/
Mitigation Strategies

Immediate mitigation steps include preventing the mutation of prototype-related properties by rejecting dangerous path segments such as __proto__, constructor, and prototype at every nesting level before traversal or assignment.

If possible, update or patch the code to implement own-property-only traversal semantics for nested writes to avoid affecting Object.prototype.

Since the affected PrimeReact versions are no longer supported, consider migrating to the new PrimeUI libraries or newer maintained versions that do not have this vulnerability.

  • Implement input validation to reject or sanitize any field names containing prototype pollution vectors.
  • Audit and restrict user input that is passed to ObjectUtils.mutateFieldData.
  • Monitor your application for unusual behavior that could indicate exploitation of prototype pollution.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15538. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart