Description
Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check whether user provided input contain forbidden strings. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. Any application that processes attacker-controlled input using this package may be affected by the following: Authentication Bypass, Denial of Service and RCE. This issue is fixed in version 12.1.2.
Published: 2026-02-21
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability is a prototype pollution flaw in Swiper versions 6.5.1 through 12.1.1, located in shared/utils.mjs where an indexOf check fails to block user‑supplied keys that can overwrite Object.prototype. The flaw gives an attacker the ability to manipulate the global prototype chain, potentially leading to authentication bypass, denial of service, and remote code execution in any application that consumes attacker‑controlled input through this library.

Affected Systems

The affected software is the Swiper library from nolimits4web, deployed in Node.js and Bun environments on Windows and Linux. Versions between 6.5.1 and 12.1.1 are vulnerable; the fix is released in version 12.1.2.

Risk and Exploitability

With a CVSS score of 9.4 the vulnerability is considered critical. Although the EPSS score is under 1% indicating a low overall risk of discovery, the impact is severe, and the flaw is not listed in the CISA KEV catalog. An attacker who can supply crafted input to a Swiper‑dependent application can pollute Object.prototype and achieve remote code execution; the attack vector relies on application exposure to untrusted data rather than network‑level exploitation.

Generated by OpenCVE AI on April 17, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Swiper to version 12.1.2 or later.
  • Remove or replace any dependencies on Swiper versions 6.5.1 through 12.1.1 from all projects.
  • Restrict user input supplied to Swiper configurations, avoiding objects that contain Array.prototype or other prototype‑modifying keys.

Generated by OpenCVE AI on April 17, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hmx5-qpq5-p643 Prototype pollution in swiper
History

Wed, 25 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Swiperjs
Swiperjs swiper
CPEs cpe:2.3:a:swiperjs:swiper:*:*:*:*:*:node.js:*:*
Vendors & Products Swiperjs
Swiperjs swiper
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Nolimits4web
Nolimits4web swiper
Vendors & Products Nolimits4web
Nolimits4web swiper

Sat, 21 Feb 2026 06:00:00 +0000

Type Values Removed Values Added
Description Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check whether user provided input contain forbidden strings. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. Any application that processes attacker-controlled input using this package may be affected by the following: Authentication Bypass, Denial of Service and RCE. This issue is fixed in version 12.1.2.
Title Swiper has a Prototype Pollution Vulnerability
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Nolimits4web Swiper
Swiperjs Swiper
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:53:04.131Z

Reserved: 2026-02-18T19:47:02.156Z

Link: CVE-2026-27212

cve-icon Vulnrichment

Updated: 2026-02-24T18:52:57.132Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T06:17:01.443

Modified: 2026-02-24T15:16:56.670

Link: CVE-2026-27212

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses