Cyber Resilience

CVE-2026-1774

Critical

Published: 10 February 2026

Published
10 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0062 45.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1774 is a critical-severity an unspecified weakness vulnerability in Mitre (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1774 is a prototype pollution vulnerability in CASL Ability, affecting versions 2.4.0 through 6.7.4. CASL Ability is a JavaScript library package used for defining and checking user permissions and abilities, as indicated by its GitHub repository at stalniy/casl/packages/casl-ability. The vulnerability was published on 2026-02-10 and carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.

The vulnerability enables remote exploitation over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing the scope (S:U). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing attackers to pollute JavaScript object prototypes and manipulate application behavior, such as bypassing access controls or executing arbitrary code.

Advisories and references, including the CERT vulnerability note at kb.cert.org/vuls/id/458422, the CWE-1321 definition at cwe.mitre.org/data/definitions/1321.html, and Mozilla Developer Network documentation on prototype pollution, provide additional context on the issue, though specific patch or mitigation guidance is detailed in those sources and the CASL GitHub repository.

EU & UK References

Vulnerability details

CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Prototype pollution enables remote code execution or auth bypass in a JS permissions library, directly mapping to public-facing app exploitation and JS interpreter abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitre
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation through patching directly eliminates the prototype pollution vulnerability in CASL Ability versions 2.4.0 through 6.7.4.

detect

Vulnerability scanning identifies deployed instances of the vulnerable CASL Ability library, enabling proactive remediation.

prevent

Input validation prevents malicious payloads from reaching CASL Ability functions that are susceptible to prototype pollution.

References