Description
Versions of the package spin.js before 3.0.0 are vulnerable to Cross-site Scripting (XSS) via the spin() function that allows a creation of more than 1 alert for each 'target' element. An attacker would need to set an arbitrary key-value pair on Object.prototype through a crafted URL achieving a prototype pollution first, before being able to execute arbitrary JavaScript in the context of the user's browser.
Published: 2026-03-11
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site Scripting – arbitrary JavaScript execution in the user’s browser
Action: Patch Upgrade
AI Analysis

Impact

This vulnerability allows the creation of multiple alert() calls per target element when using spin() in spin.js. An attacker can inject arbitrary JavaScript into the user's browser context. The weakness is a classic Cross‑Site Scripting flaw (CWE‑79). To trigger the flaw, the attacker must first manipulate Object.prototype by setting an arbitrary key‑value pair, a form of prototype pollution, through a crafted URL. Once prototype pollution is achieved, the spin() function’s misuse permits execution of malicious scripts.

Affected Systems

Any project that includes the outdated spin.js package, specifically all releases prior to 3.0.0. No precise version list is supplied by the CNA data, but all versions before 3.0.0 are affected according to the description.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. EPSS is less than 1 %, suggesting that exploitation likelihood is low, and the vulnerability has not been cataloged as a known exploited vulnerability (not in KEV). The exploitation route requires both prototype pollution and the use of spin(), meaning an attacker must craft a URL to manipulate Object.prototype before triggering the XSS. Given these prerequisites, the risk to a typical deployment is moderate but not negligible. Monitoring for related exploit activity and ensuring mitigation is recommended.

Generated by OpenCVE AI on March 17, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade spin.js to version 3.0.0 or later

Generated by OpenCVE AI on March 17, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting Vulnerability in spin.js via Prototype Pollution and Duplicate Alert Creation

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Fgnass
Fgnass spin.js
Vendors & Products Fgnass
Fgnass spin.js

Wed, 11 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description Versions of the package spin.js before 3.0.0 are vulnerable to Cross-site Scripting (XSS) via the spin() function that allows a creation of more than 1 alert for each 'target' element. An attacker would need to set an arbitrary key-value pair on Object.prototype through a crafted URL achieving a prototype pollution first, before being able to execute arbitrary JavaScript in the context of the user's browser.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P'}

Subscriptions

Fgnass Spin.js
cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-03-11T15:45:37.336Z

Reserved: 2026-03-10T15:23:07.934Z

Link: CVE-2026-3884

cve-icon Vulnrichment

Updated: 2026-03-11T15:45:34.043Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T06:17:15.183

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-3884

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:55Z

Weaknesses