Cross-site Scripting Vulnerability in Spin.js Package by Snyk
CVE-2026-3884

5.1MEDIUM

Key Information:

Vendor: Snyk
Status: Spin.js
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-3884?

Spin.js prior to version 3.0.0 contains a vulnerability that exposes applications to Cross-site Scripting (XSS) attacks. Malicious actors can exploit this flaw through the spin() function by introducing an arbitrary key-value pair into Object.prototype via a specially crafted URL. This prototype pollution facilitates the execution of unauthorized JavaScript in the user's browser, leading to potential security breaches.

Affected Version(s)

spin.js 0 < 3.0.0

References

https://security.snyk.io/vuln/SNYK-JS-SPINJS-15445079

https://gist.github.com/ericcornelissen/1a73e28fa50c3009b...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 10, 2026

Credit

Eric Cornelissen

Samuel Kajava

CVE-2026-3884 Data

JSON