Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for json-schema-ref-parser by apidevtools

    CVE-2026-15195 (GCVE-0-2026-15195)

    Vulnerability from nvd – Published: 2026-07-09 17:15 – Updated: 2026-07-09 18:23 X_Open Source
    VLAI
    Title
    apidevtools json-schema-ref-parser pointer.ts Pointer.set prototype pollution
    Summary
    A weakness has been identified in apidevtools json-schema-ref-parser up to 15.3.5. This impacts the function Refs.set/Pointer.set in the library lib/pointer.ts. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. Upgrading to version 15.3.6 will fix this issue. This patch is called a786bc6afc3674f650496472ee93d5cf74c4bd84. It is suggested to upgrade the affected component.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
    • CWE-94 - Code Injection
    Assigner
    Impacted products
    Vendor Product Version
    apidevtools json-schema-ref-parser Affected: 15.3.0
    Affected: 15.3.1
    Affected: 15.3.2
    Affected: 15.3.3
    Affected: 15.3.4
    Affected: 15.3.5
    Unaffected: 15.3.6
        cpe:2.3:a:apidevtools:json-schema-ref-parser:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dremig (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15195",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T18:22:56.575261Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T18:23:06.195Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/APIDevTools/json-schema-ref-parser/issues/421"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:apidevtools:json-schema-ref-parser:*:*:*:*:*:*:*:*"
              ],
              "product": "json-schema-ref-parser",
              "vendor": "apidevtools",
              "versions": [
                {
                  "status": "affected",
                  "version": "15.3.0"
                },
                {
                  "status": "affected",
                  "version": "15.3.1"
                },
                {
                  "status": "affected",
                  "version": "15.3.2"
                },
                {
                  "status": "affected",
                  "version": "15.3.3"
                },
                {
                  "status": "affected",
                  "version": "15.3.4"
                },
                {
                  "status": "affected",
                  "version": "15.3.5"
                },
                {
                  "status": "unaffected",
                  "version": "15.3.6"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dremig (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in apidevtools json-schema-ref-parser up to 15.3.5. This impacts the function Refs.set/Pointer.set in the library lib/pointer.ts. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. Upgrading to version 15.3.6 will fix this issue. This patch is called a786bc6afc3674f650496472ee93d5cf74c4bd84. It is suggested to upgrade the affected component."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "Improperly Controlled Modification of Object Prototype Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T17:15:08.989Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377123 | apidevtools json-schema-ref-parser pointer.ts Pointer.set prototype pollution",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377123"
            },
            {
              "name": "VDB-377123 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377123/cti"
            },
            {
              "name": "CVE-2026-15195 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15195"
            },
            {
              "name": "Submit #851809 | Node.js @apidevtools/json-schema-ref-parser 15.3.5 Improperly Controlled Modification of Object Prototype Attribute",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/851809"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/APIDevTools/json-schema-ref-parser/issues/421"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/APIDevTools/json-schema-ref-parser/commit/a786bc6afc3674f650496472ee93d5cf74c4bd84"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/APIDevTools/json-schema-ref-parser/releases/tag/v15.3.6"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/APIDevTools/json-schema-ref-parser/"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T08:05:56.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "apidevtools json-schema-ref-parser pointer.ts Pointer.set prototype pollution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15195",
        "datePublished": "2026-07-09T17:15:08.989Z",
        "dateReserved": "2026-07-09T06:00:53.324Z",
        "dateUpdated": "2026-07-09T18:23:06.195Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15195 (GCVE-0-2026-15195)

    Vulnerability from cvelistv5 – Published: 2026-07-09 17:15 – Updated: 2026-07-09 18:23 X_Open Source
    VLAI
    Title
    apidevtools json-schema-ref-parser pointer.ts Pointer.set prototype pollution
    Summary
    A weakness has been identified in apidevtools json-schema-ref-parser up to 15.3.5. This impacts the function Refs.set/Pointer.set in the library lib/pointer.ts. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. Upgrading to version 15.3.6 will fix this issue. This patch is called a786bc6afc3674f650496472ee93d5cf74c4bd84. It is suggested to upgrade the affected component.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
    • CWE-94 - Code Injection
    Assigner
    Impacted products
    Vendor Product Version
    apidevtools json-schema-ref-parser Affected: 15.3.0
    Affected: 15.3.1
    Affected: 15.3.2
    Affected: 15.3.3
    Affected: 15.3.4
    Affected: 15.3.5
    Unaffected: 15.3.6
        cpe:2.3:a:apidevtools:json-schema-ref-parser:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dremig (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15195",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T18:22:56.575261Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T18:23:06.195Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/APIDevTools/json-schema-ref-parser/issues/421"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:apidevtools:json-schema-ref-parser:*:*:*:*:*:*:*:*"
              ],
              "product": "json-schema-ref-parser",
              "vendor": "apidevtools",
              "versions": [
                {
                  "status": "affected",
                  "version": "15.3.0"
                },
                {
                  "status": "affected",
                  "version": "15.3.1"
                },
                {
                  "status": "affected",
                  "version": "15.3.2"
                },
                {
                  "status": "affected",
                  "version": "15.3.3"
                },
                {
                  "status": "affected",
                  "version": "15.3.4"
                },
                {
                  "status": "affected",
                  "version": "15.3.5"
                },
                {
                  "status": "unaffected",
                  "version": "15.3.6"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dremig (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in apidevtools json-schema-ref-parser up to 15.3.5. This impacts the function Refs.set/Pointer.set in the library lib/pointer.ts. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. Upgrading to version 15.3.6 will fix this issue. This patch is called a786bc6afc3674f650496472ee93d5cf74c4bd84. It is suggested to upgrade the affected component."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "Improperly Controlled Modification of Object Prototype Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T17:15:08.989Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377123 | apidevtools json-schema-ref-parser pointer.ts Pointer.set prototype pollution",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377123"
            },
            {
              "name": "VDB-377123 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377123/cti"
            },
            {
              "name": "CVE-2026-15195 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15195"
            },
            {
              "name": "Submit #851809 | Node.js @apidevtools/json-schema-ref-parser 15.3.5 Improperly Controlled Modification of Object Prototype Attribute",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/851809"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/APIDevTools/json-schema-ref-parser/issues/421"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/APIDevTools/json-schema-ref-parser/commit/a786bc6afc3674f650496472ee93d5cf74c4bd84"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/APIDevTools/json-schema-ref-parser/releases/tag/v15.3.6"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/APIDevTools/json-schema-ref-parser/"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-09T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-09T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-09T08:05:56.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "apidevtools json-schema-ref-parser pointer.ts Pointer.set prototype pollution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15195",
        "datePublished": "2026-07-09T17:15:08.989Z",
        "dateReserved": "2026-07-09T06:00:53.324Z",
        "dateUpdated": "2026-07-09T18:23:06.195Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }