Description
A weakness has been identified in antv layout 2.0.0. This impacts the function setNestedValue in the library lib/util/object.js. Executing a manipulation of the argument path can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-07-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the setNestedValue function of the antv layout library. An attacker can craft a malicious path argument, causing the function to alter the prototype chain of objects. This prototype pollution can lead to unintended changes in object behaviour and, in some cases, code execution or denial of service.

Affected Systems

The issue affects antv layout version 2.0.0, the JavaScript library released for data visualization and chart layout.

Risk and Exploitability

The CVSS score is 5.3, categorising the flaw as moderate risk. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalogue. Although an attack can be launched remotely by supplying a crafted path, no publicly available exploit or proof‑of‑concept has been reported, suggesting limited exploitation likelihood at present.

Generated by OpenCVE AI on July 14, 2026 at 12:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a newer antv layout release that eliminates prototype pollution or apply any official patch if released.
  • Validate or sanitize all parameters passed to setNestedValue; disallow keys that can affect the prototype chain (such as "__proto__" or "constructor").
  • If upgrading or sanitisation is not feasible, remove or replace the vulnerable function with a secure alternative implementation.

Generated by OpenCVE AI on July 14, 2026 at 12:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 13 Jul 2026 22:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in antv layout 2.0.0. This impacts the function setNestedValue in the library lib/util/object.js. Executing a manipulation of the argument path can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet.
Title antv layout object.js setNestedValue prototype pollution
First Time appeared Antv
Antv layout
Weaknesses CWE-1321
CWE-94
CPEs cpe:2.3:a:antv:layout:*:*:*:*:*:*:*:*
Vendors & Products Antv
Antv layout
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-14T13:01:23.090Z

Reserved: 2026-07-13T14:08:46.995Z

Link: CVE-2026-15598

cve-icon Vulnrichment

Updated: 2026-07-14T13:01:19.094Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T13:00:04Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')