{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6594", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-19T10:42:43.695Z", "datePublished": "2026-04-20T01:45:12.099Z", "dateUpdated": "2026-04-20T01:45:12.099Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T01:45:12.099Z"}, "title": "brikcss merge prototype pollution", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1321", "lang": "en", "description": "Improperly Controlled Modification of Object Prototype Attributes"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "brikcss", "product": "merge", "versions": [{"version": "1.0", "status": "affected"}, {"version": "1.1", "status": "affected"}, {"version": "1.2", "status": "affected"}, {"version": "1.3.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-19T12:47:54.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "sudosme (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358229", "name": "VDB-358229 | brikcss merge prototype pollution", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358229/cti", "name": "VDB-358229 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/791805", "name": "Submit #791805 | brikcss @brikcss/merge 1.3.0 Prototype Pollution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/sudo-secure/security-research/blob/main/brikcss-merge/prototype-pollution/PoC.md", "tags": ["exploit"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6594", "lastModified": "2026-04-20T02:16:15.633", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T02:16:15.633", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/sudo-secure/security-research/blob/main/brikcss-merge/prototype-pollution/PoC.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/791805"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358229"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358229/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-1321"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T03:21:14.398841+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest brikcss merge release that removes the prototype pollution flaw", "Add input validation to the merge call to reject any keys named \"__proto__\", \"constructor\", or other prototype\u2011related identifiers", "Ensure that the merge functionality is only invoked with data from trusted sources and not exposed to user\u2011controlled input", "Monitor application objects for unexpected changes in the prototype chain that could indicate an attempted exploitation"], "summary": {"action": "Immediate Patch", "impact": "Remote code execution via prototype pollution"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the brikcss merge package for all releases through 1.3.0. No specific sub\u2011module is identified, so any installation of brikcss merge in that range is potentially affected.", "description_and_impact": "The brikcss merge library contains a prototype pollution flaw in versions up to 1.3.0. A malicious user can supply an argument containing __proto__/constructor.prototype entries that cause the merge operation to write values into the Object prototype. This uncontrolled modification enables the attacker to alter global object properties, which can lead to logic bypasses or execution of arbitrary code. The weakness falls under CWE\u20111321 and CWE\u201194, reflecting unsanitized manipulation of built\u2011in prototypes and potential code injection.", "risk_and_exploitability": "With a CVSS score of 6.9, the flaw poses a moderate overall risk. No EPSS data is available and the issue is not listed in the CISA KEV catalog, but the vulnerability can be triggered remotely by supplying crafted input to the merge function. Attackers who gain control over the merge call are able to inject prototype properties that may compromise the application\u2019s correctness or enable further exploitation. Because the vendor has not released a patch, the risk remains present until an updated version is applied or mitigations are enforced."}}}}, "created": "2026-04-20T03:30:41.937985+00:00", "updated": "2026-04-20T03:30:41.937995+00:00", "vendors": []}