Prototype Pollution Vulnerability in spencermountain's Public Root API
CVE-2026-15699

5.3MEDIUM

Key Information:

Vendor
CVE Published:
14 July 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-15699?

A vulnerability affecting spencermountain’s Public Root API was identified in versions up to 14.15.1, specifically in the function nlp.extend located in the file src/API/extend.js. This vulnerability allows for unauthorized manipulation of the argument plugin, which could lead to uncontrolled modifications of object prototype attributes. Potentially exposing systems to remote exploitation. A patch has been released, identified by commit b4644ab7179700df0607521f61c1ee9b5f78d89d, that addresses this issue effectively, and users are strongly encouraged to apply it to protect against possible attacks.

Affected Version(s)

compromise 14.15.0

compromise 14.15.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

wjm1 (VulDB User)
VulDB CNA Team
.