Prototype Pollution Vulnerability in Swiper Product by Nolimits4web
CVE-2026-27212

9.4CRITICAL

Key Information:

Vendor

Nolimits4web

Status
Swiper
Vendor
CVE Published:
21 February 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-27212?

The Swiper framework, widely used for mobile touch slider functionality, contains a prototype pollution issue affecting versions 6.5.1 to 12.1.1. The vulnerability exists due to improper handling of user input in shared/utils.mjs, specifically at line 94 where the indexOf() function fails to adequately filter forbidden strings. This oversight allows attackers to potentially manipulate Object.prototype through crafted inputs utilizing Array.prototype, impacting applications on both Windows and Linux platforms and across various JavaScript runtimes like Node and Bun. Applications leveraging this framework to process untrusted user input may face security risks including authentication bypass, denial of service, and remote code execution. Version 12.1.2 addresses this critical vulnerability.

Affected Version(s)

swiper >= 6.5.1, < 12.1.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

resize-image-before-upload-secure
Created by stealths-labs

References

https://github.com/nolimits4web/swiper/security/advisorie...
x_refsource_CONFIRM
https://github.com/nolimits4web/swiper/commit/d3e663322a1...
x_refsource_MISC
https://github.com/nolimits4web/swiper/releases/tag/v12.1.2
x_refsource_MISC

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.