Prototype Pollution in CartoDB carto-api-client by Carto
CVE-2026-16151

5.3MEDIUM

Key Information:

Vendor

Cartodb

Vendor
CVE Published:
18 July 2026

What is CVE-2026-16151?

A vulnerability exists in the CartoDB carto-api-client version 0.5.29, specifically within the addFilter function in the src/filters.ts file. This issue arises due to improper handling of the argument 'column', which can lead to unauthorized modifications of object prototype attributes. Exploiting this vulnerability allows remote attackers to manipulate object properties, potentially causing severe impacts on application integrity. Although the project maintainers have been made aware of this vulnerability, there has been no response to address the reported issue.

Affected Version(s)

carto-api-client 0.5.29

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

wjm1 (VulDB User)
VulDB CNA Team
.