CVE-2026-45325
Deferred Deferred - Pending Action

Prototype Pollution in Gestor de Oferta utils

Vulnerability report for CVE-2026-45325, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Gestor de Oferta is a web application for managing mobility service offerings. Prior to 20260509.0340.15, @tmlmobilidade/utils has a prototype pollution vulnerability in setValueAtPath() in packages/utils/src/generic/value-at-path.ts because unsafe path segments are not blocked. This issue is fixed in version 20260509.0340.15.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tmlmobilidade utils to 20260509.0340.15 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-45325 is a prototype pollution vulnerability in the @tmlmobilidade/utils package affecting versions before 20260509.0340.15. It exists in the setValueAtPath() function due to unsafe path segments not being blocked. An attacker can exploit this to modify an object's prototype properties, potentially causing unintended behavior or security issues.

Detection Guidance

Detecting prototype pollution vulnerabilities like CVE-2026-45325 requires checking for unsafe path segments in the @tmlmobilidade/utils package. Review application logs for errors related to setValueAtPath() or prototype manipulation. Inspect network traffic for suspicious input patterns targeting object prototypes.

Impact Analysis

This vulnerability allows attackers to manipulate object prototypes, which could lead to arbitrary code execution, denial of service, or data tampering. Since the attack requires no privileges or user interaction, it poses a significant risk if exploited remotely over a network.

Compliance Impact

This vulnerability could potentially impact compliance with GDPR and HIPAA by allowing unauthorized modification of object prototypes, which may lead to data integrity issues or unintended code execution. Prototype pollution can be exploited to alter application behavior, potentially exposing or corrupting sensitive data. However, the provided context does not explicitly detail compliance impacts.

Mitigation Strategies

Upgrade @tmlmobilidade/utils to version 20260509.0340.15 or later. If upgrading is not possible, implement input validation to block unsafe path segments like __proto__, constructor, and prototype. Review and sanitize all user-controlled inputs passed to setValueAtPath().

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45325. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart