CVE-2026-41690 - Vulnerability Analysis
HighCVSS: 8.6Last Updated: May 8, 2026
18next-http-middleware - Prototype Pollution
Published: May 8, 2026Updated: May 8, 2026Remote Exploitable
Overview
18next-http-middleware < 3.9.3 contains a prototype pollution vulnerability caused by unvalidated entry points in getResourcesHandler and missingKeyHandler, letting unauthenticated HTTP clients manipulate Object.prototype, potentially leading to authorization bypass, DoS, or RCE.
Severity & Score
Severity: High
CVSS Score: 8.6
Impact
Unauthenticated attackers can manipulate Object.prototype, causing authorization bypass, denial of service, or remote code execution.
Mitigation
Upgrade to version 3.9.3 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-41690
- Severity
- High
- CVSS Score
- 8.6
- Type
- prototype_pollution
- Status
- new
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L