Home / Vulnerability Intelligence / CVE-2026-26021

CVE-2026-26021 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: February 13, 2026

set-in - Prototype Pollution

Published: February 11, 2026Updated: February 13, 2026PoC AvailableRemote Exploitable

Overview

set-in >= 2.0.1, < 2.0.5 contains a prototype pollution vulnerability caused by insufficient input validation allowing crafted input using Array.prototype to pollute Object.prototype, letting attackers modify object prototypes remotely, exploit requires crafted input.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 5.3%(Probability of exploitation in next 30 days)

Impact

Attackers can modify Object.prototype, potentially leading to denial of service or privilege escalation.

Mitigation

Update to version 2.0.5 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 14, 2026

🔴 CVE-2026-26021 - Critical (9.8) set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollutio... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26021/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-26021
Severity: Critical
CVSS Score: 9.8
Type: prototype_pollution
Status: confirmed
EPSS: 5.3%
Social Posts: 1

CWE

CWE-1321

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

5.3%Probability of exploitation in the next 30 days