Prototype Pollution in CartoDB carto-api-client by Carto
CVE-2026-16151
5.3MEDIUM
What is CVE-2026-16151?
A vulnerability exists in the CartoDB carto-api-client version 0.5.29, specifically within the addFilter function in the src/filters.ts file. This issue arises due to improper handling of the argument 'column', which can lead to unauthorized modifications of object prototype attributes. Exploiting this vulnerability allows remote attackers to manipulate object properties, potentially causing severe impacts on application integrity. Although the project maintainers have been made aware of this vulnerability, there has been no response to address the reported issue.
Affected Version(s)
carto-api-client 0.5.29
