CVE-2026-15697
Deferred Deferred - Pending Action

Prototype Pollution in svg.js npm Package

Vulnerability report for CVE-2026-15697, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: VulDB

Description

A vulnerability was found in svgdotjs svg.js up to 3.2.5. This affects the function EventTarget.on of the file svgdotjs/svg.js of the component npm Package API. Performing a manipulation results in improperly controlled modification of object prototype attributes. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
svgdotjs svg.js to 3.2.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15697 is a prototype pollution vulnerability in the svgdotjs svg.js library up to version 3.2.5. The issue affects the EventTarget.on function in the file svgdotjs/svg.js, which is part of the npm Package API.

Prototype pollution occurs when an attacker manipulates object prototype attributes in JavaScript. In this case, the vulnerability allows improperly controlled modification of these attributes through the EventTarget.on function. Specifically, when special event names like __proto__, constructor, or prototype are passed, they can mutate JavaScript object prototypes without throwing exceptions. This can lead to silent prototype pollution, which may cause logic corruption, unsafe property lookups, or other security issues.

The attack can be initiated remotely, meaning an attacker does not need physical or local access to exploit the vulnerability. The project was informed of the issue early through an issue report but has not responded yet.

Impact Analysis

This vulnerability can impact you in several ways if you are using the affected version of the svgdotjs svg.js library (up to 3.2.5) in your applications:

  • Logic corruption: Prototype pollution can alter the behavior of JavaScript objects, leading to unexpected or malicious behavior in your application.
  • Unsafe property lookups: Attackers may exploit this vulnerability to access or modify properties that should not be accessible, potentially leading to data leaks or unauthorized actions.
  • Denial of Service (DoS): The vulnerability could be used to crash or slow down your application, making it unavailable to users.
  • Exploitation chains: Prototype pollution can be part of a larger attack chain, enabling further exploitation such as remote code execution or privilege escalation in some cases.

Since the attack can be initiated remotely, your application could be targeted by attackers over the internet without requiring direct access to your systems.

Compliance Impact

The impact of this vulnerability on compliance with common standards and regulations depends on how the affected library is used in your systems and the nature of the data or processes it handles:

  • GDPR (General Data Protection Regulation): If the vulnerability leads to unauthorized access or exposure of personal data processed by your application, it could result in a violation of GDPR. For example, if prototype pollution allows an attacker to access or manipulate sensitive user data, this could be considered a data breach under GDPR, requiring notification to authorities and affected individuals. Non-compliance could lead to significant fines and reputational damage.
  • HIPAA (Health Insurance Portability and Accountability Act): If your application handles protected health information (PHI) and the vulnerability results in unauthorized access or disclosure of this data, it could violate HIPAA's Security and Privacy Rules. This may lead to penalties, legal action, and mandatory corrective measures.
  • Other standards (e.g., PCI DSS, ISO 27001): If the affected library is part of a system that processes payment card data or is subject to information security management standards, the vulnerability could lead to non-compliance. For instance, PCI DSS requires secure handling of cardholder data, and a vulnerability that allows unauthorized access could violate this requirement.

In general, vulnerabilities like prototype pollution can undermine the security controls required by these regulations. Organizations are typically required to maintain secure systems, conduct risk assessments, and apply patches or mitigations promptly. Failure to address this vulnerability could be seen as a lapse in due diligence, potentially leading to compliance violations.

Detection Guidance

To detect the vulnerability CVE-2026-15697 in your system, you can check for the presence of the affected version of the svgdotjs svg.js library (up to 3.2.5).

  • Inspect your project's dependencies to identify if @svgdotjs/svg.js version 3.2.5 or earlier is installed. You can use the following command in a Node.js environment: npm list @svgdotjs/svg.js.
  • Search for the library in your project files or package.json to verify the installed version. Look for entries like @svgdotjs/svg.js or svg.js.
  • Check for the use of the EventTarget.on() method in your codebase, particularly if it processes user-controlled input for event names. This method is the source of the vulnerability.
  • Use static analysis tools or security scanners that support JavaScript libraries to detect prototype pollution vulnerabilities. Tools like npm audit or Snyk may help identify this issue if they have updated their vulnerability databases.

If you find the affected version, assume the vulnerability exists until you confirm otherwise or apply the necessary fixes.

Mitigation Strategies

To mitigate CVE-2026-15697, follow these immediate steps:

  • Upgrade the @svgdotjs/svg.js library to a version beyond 3.2.5 if a patched version is available. Check the project's GitHub repository or npm page for updates.
  • If no patched version is available, apply the suggested fix manually by modifying the EventTarget.on() method to reject dangerous event names or namespaces (e.g., __proto__, constructor, prototype) before object writes. Avoid traversing inherited properties in the event registry.
  • Implement input validation for event names in your application to prevent prototype pollution. Ensure user-controlled inputs are sanitized and do not include special property names.
  • Monitor your application for unusual behavior, such as unexpected property additions or logic corruption, which may indicate exploitation attempts.
  • Consider using security tools or libraries that detect and prevent prototype pollution attacks, such as Object.freeze(Object.prototype) in your application's initialization code to harden the environment.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15697. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart