CVE-2026-16150
Received Received - Intake

Improper Prototype Pollution in Inputmask Library

Vulnerability report for CVE-2026-16150, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A vulnerability was found in RobinHerbots Inputmask up to 5.0.9. Affected by this issue is the function extendDefaults/extendDefinitions/extendAliases in the library lib/dependencyLibs/extend.js of the component Internal Deep Merge Helper. The manipulation results in improperly controlled modification of object prototype attributes. The attack may be performed from remote. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-19
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
robinherbots inputmask to 5.0.9 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a prototype pollution vulnerability in the Inputmask library up to version 5.0.9. It affects the extendDefaults, extendDefinitions, and extendAliases functions in lib/dependencyLibs/extend.js. The issue allows attackers to modify Object.prototype by passing specially crafted objects containing keys like __proto__. This can lead to inherited property changes in ordinary objects, causing application logic errors or security bypasses.

Detection Guidance

Check if your application uses Inputmask library version 5.0.9 or earlier. Inspect JavaScript files for usage of extendDefaults, extendDefinitions, or extendAliases functions. Look for unsafe deep merge operations in lib/dependencyLibs/extend.js.

Impact Analysis

The impact includes application logic errors, denial of service, or security bypasses due to modified prototypes. Attackers could manipulate object properties across the application, potentially leading to unauthorized data access, privilege escalation, or unexpected behavior in form inputs managed by Inputmask.

Compliance Impact

This vulnerability could indirectly impact compliance with GDPR or HIPAA by enabling prototype pollution attacks that alter application logic or bypass security controls. Such attacks may lead to unauthorized data access, integrity violations, or service disruptions, which are critical concerns under these regulations. However, the direct impact depends on how the affected library is used in a specific system.

Mitigation Strategies

Upgrade Inputmask to a version that patches prototype pollution vulnerabilities. If upgrading is not possible, implement input validation to reject keys like __proto__, prototype, and constructor. Use Object.create(null) for target objects in merge operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16150. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart