Prototype Pollution Vulnerability in Swiper Product by Nolimits4web
CVE-2026-27212

9.4CRITICAL

Key Information:

Vendor

Nolimits4web

Status
Swiper
Vendor
CVE Published:
21 February 2026

What is CVE-2026-27212?

The Swiper framework, widely used for mobile touch slider functionality, contains a prototype pollution issue affecting versions 6.5.1 to 12.1.1. The vulnerability exists due to improper handling of user input in shared/utils.mjs, specifically at line 94 where the indexOf() function fails to adequately filter forbidden strings. This oversight allows attackers to potentially manipulate Object.prototype through crafted inputs utilizing Array.prototype, impacting applications on both Windows and Linux platforms and across various JavaScript runtimes like Node and Bun. Applications leveraging this framework to process untrusted user input may face security risks including authentication bypass, denial of service, and remote code execution. Version 12.1.2 addresses this critical vulnerability.

Affected Version(s)

swiper >= 6.5.1, < 12.1.2

References

https://github.com/nolimits4web/swiper/security/advisorie...
x_refsource_CONFIRM
https://github.com/nolimits4web/swiper/commit/d3e663322a1...
x_refsource_MISC
https://github.com/nolimits4web/swiper/releases/tag/v12.1.2
x_refsource_MISC

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.