CVE-2026-26021
Published: 11 February 2026
Summary
CVE-2026-26021 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Set-In Project Set-In. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the prototype pollution flaw in set-in by updating to version 2.0.5 or later directly prevents exploitation of CVE-2026-26021.
Vulnerability scanning identifies deployed instances of vulnerable set-in package versions affected by CVE-2026-26021.
Validating untrusted inputs prior to processing by the set-in function blocks crafted arrays that exploit the prototype pollution vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote exploitation of public-facing apps via crafted input to the vulnerable set-in function (T1190); resulting prototype pollution directly facilitates arbitrary code execution in JavaScript contexts (T1059.007).
NVD Description
set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether…
more
user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.
Deeper analysisAI
CVE-2026-26021 is a prototype pollution vulnerability in the npm package set-in, affecting versions >=2.0.1 and <2.0.5. The package provides functionality to set values in nested associative structures using an array of keys. Despite a prior fix that checked for forbidden keys in user input, attackers can still pollute Object.prototype through a crafted input leveraging Array.prototype. This issue, classified under CWE-1321, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying specially crafted input to the set-in function, they can modify Object.prototype, potentially leading to severe impacts such as arbitrary code execution, denial of service, or further compromise depending on how the polluted prototype is used in the application.
The vulnerability has been addressed in set-in version 2.0.5. Security practitioners should update to this version or later. Relevant details are available in the GitHub security advisory (GHSA-2c4m-g7rx-63q7) and the fixing commit (b8e1dabfdbd35c8d604b6324e01d03f280256c3d).
Details
- CWE(s)