Prototype Pollution Vulnerability in spencermountain's Public Root API
CVE-2026-15699
Key Information:
- Vendor
Spencermountain
- Status
- Vendor
- CVE Published:
- 14 July 2026
Badges
What is CVE-2026-15699?
A vulnerability affecting spencermountain’s Public Root API was identified in versions up to 14.15.1, specifically in the function nlp.extend located in the file src/API/extend.js. This vulnerability allows for unauthorized manipulation of the argument plugin, which could lead to uncontrolled modifications of object prototype attributes. Potentially exposing systems to remote exploitation. A patch has been released, identified by commit b4644ab7179700df0607521f61c1ee9b5f78d89d, that addresses this issue effectively, and users are strongly encouraged to apply it to protect against possible attacks.
Affected Version(s)
compromise 14.15.0
compromise 14.15.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved
