Description
A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Remote code execution via prototype pollution
Action: Immediate Patch
AI Analysis

Impact

The brikcss merge library contains a prototype pollution flaw in versions up to 1.3.0. A malicious user can supply an argument containing __proto__/constructor.prototype entries that cause the merge operation to write values into the Object prototype. This uncontrolled modification enables the attacker to alter global object properties, which can lead to logic bypasses or execution of arbitrary code. The weakness falls under CWE‑1321 and CWE‑94, reflecting unsanitized manipulation of built‑in prototypes and potential code injection.

Affected Systems

The vulnerability is present in the brikcss merge package for all releases through 1.3.0. No specific sub‑module is identified, so any installation of brikcss merge in that range is potentially affected.

Risk and Exploitability

With a CVSS score of 6.9, the flaw poses a moderate overall risk. No EPSS data is available and the issue is not listed in the CISA KEV catalog, but the vulnerability can be triggered remotely by supplying crafted input to the merge function. Attackers who gain control over the merge call are able to inject prototype properties that may compromise the application’s correctness or enable further exploitation. Because the vendor has not released a patch, the risk remains present until an updated version is applied or mitigations are enforced.

Generated by OpenCVE AI on April 20, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest brikcss merge release that removes the prototype pollution flaw
  • Add input validation to the merge call to reject any keys named "__proto__", "constructor", or other prototype‑related identifiers
  • Ensure that the merge functionality is only invoked with data from trusted sources and not exposed to user‑controlled input
  • Monitor application objects for unexpected changes in the prototype chain that could indicate an attempted exploitation

Generated by OpenCVE AI on April 20, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
Title brikcss merge prototype pollution
Weaknesses CWE-1321
CWE-94
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T01:45:12.099Z

Reserved: 2026-04-19T10:42:43.695Z

Link: CVE-2026-6594

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T02:16:15.633

Modified: 2026-04-20T02:16:15.633

Link: CVE-2026-6594

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T03:30:41Z

Weaknesses