CVE-2026-26021 – CVE-2026-26021 is a prototype pollution vulnera... (How to Fix)

Q: How do I fix CVE-2026-26021?

1. Update package.json to require set-in version 2.0.5 or higher. 2. Run 'npm update set-in' or 'yarn upgrade set-in'. 3. Test application functionality after update.

Q: What is the severity of CVE-2026-26021?

CVE-2026-26021 has a CVSS score of 9.8 (CRITICAL). CVE-2026-26021 is a prototype pollution vulnerability in the npm package set-in that allows attackers to modify Object.prototype through crafted array inputs. This affects applications using set-in versions 2.0.1 through 2.0.4 for nested object manipulation. Successful exploitation could lead to denial of service, remote code execution, or privilege escalation depending on application context.

📋 TL;DR

CVE-2026-26021 is a prototype pollution vulnerability in the npm package set-in that allows attackers to modify Object.prototype through crafted array inputs. This affects applications using set-in versions 2.0.1 through 2.0.4 for nested object manipulation. Successful exploitation could lead to denial of service, remote code execution, or privilege escalation depending on application context.

💻 Affected Systems

Products:

set-in npm package

Versions: >=2.0.1, <2.0.5

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using set-in for nested object manipulation with user-controlled input is vulnerable.

📦 What is this software?

Set In by Set In Project

View all CVEs affecting Set In →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Application crashes, denial of service, or unauthorized modification of application behavior leading to data integrity issues.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially causing only application instability.

🌐 Internet-Facing: HIGH - Web applications using vulnerable versions are directly exposed to attack vectors.

🏢 Internal Only: MEDIUM - Internal applications could be exploited through authenticated user input or internal API calls.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of prototype pollution techniques and ability to control input to set-in functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.5

Vendor Advisory: https://github.com/ahdinosaur/set-in/security/advisories/GHSA-2c4m-g7rx-63q7

Restart Required: No

Instructions:

1. Update package.json to require set-in version 2.0.5 or higher. 2. Run 'npm update set-in' or 'yarn upgrade set-in'. 3. Test application functionality after update.

🔧 Temporary Workarounds

Input validation wrapper

all

Wrap set-in calls with validation to reject arrays containing prototype pollution patterns

// Example validation function
function safeSetIn(obj, path, value) {
  if (Array.isArray(path) && path.some(key => key === '__proto__' || key === 'constructor' || key === 'prototype')) {
    throw new Error('Invalid path for set-in');
  }
  return setIn(obj, path, value);
}

🧯 If You Can't Patch

Implement strict input validation for all user-controlled data passed to set-in functions
Use object property whitelisting and avoid passing user-controlled arrays to set-in

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for set-in version between 2.0.1 and 2.0.4

Check Version:

npm list set-in | grep set-in

Verify Fix Applied:

Verify set-in version is 2.0.5 or higher in package.json and test with known malicious inputs

📡 Detection & Monitoring

Log Indicators:

Unusual application crashes, unexpected object property modifications, or prototype pollution attempts in logs

Network Indicators:

Unusual API calls with array parameters containing suspicious keys like '__proto__' or 'constructor'

SIEM Query:

source="application_logs" AND ("set-in" OR "prototype pollution" OR "__proto__")

📊 Metadata

CVE ID: CVE-2026-26021

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

EPSS Score: 0.05% exploit probability (16.4th percentile)

Published: February 11, 2026

Last Updated: February 13, 2026

🔗 References

https://github.com/ahdinosaur/set-in/commit/b8e1dabfdbd35c8d604b6324e01d03f280256c3d Patch
https://github.com/ahdinosaur/set-in/security/advisories/GHSA-2c4m-g7rx-63q7 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26021, you might also want to check these: