CVE-2026-27212

HighPublic PoC

Published: 21 February 2026

Published

21 February 2026

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0008 23.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27212 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Swiperjs Swiper. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Directly requires identifying, prioritizing, and applying patches for known flaws like this prototype pollution vulnerability in Swiper versions 6.5.1 through 12.1.1.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Mandates vulnerability scanning to identify the presence of CVE-2026-27212 in deployed Swiper library instances across Node.js and Bun environments.

SI-10 Information Input Validation partial match

prevent

Requires validating attacker-controlled inputs before processing with Swiper to block crafted payloads exploiting the insufficient indexOf() check for prototype pollution.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1212 Exploitation for Credential Access Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Prototype pollution in Swiper enables local exploitation for privilege escalation (RCE/auth bypass from low-priv context), credential access via authentication bypass, and DoS via object prototype manipulation on Node.js/Bun.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check…

whether user provided input contain forbidden strings. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. Any application that processes attacker-controlled input using this package may be affected by the following: Authentication Bypass, Denial of Service and RCE. This issue is fixed in version 12.1.2.

Deeper analysisAI

CVE-2026-27212 is a prototype pollution vulnerability in Swiper, a free and mobile touch slider library with hardware accelerated transitions and native behavior. The flaw affects versions 6.5.1 through 12.1.1 and resides in line 94 of shared/utils.mjs, where the indexOf() function checks user-provided input for forbidden strings. A prior fix intended to block prototype pollution by detecting forbidden keys proved insufficient, as crafted input leveraging Array.prototype can still pollute Object.prototype.

The vulnerability requires local access (AV:L) with low privileges (PR:L) and low complexity (AC:L), earning a CVSS v3.1 base score of 7.8 (C:H/I:H/A:H/S:U/UI:N). Local attackers can exploit it in any application processing attacker-controlled input with the affected Swiper versions, potentially achieving authentication bypass, denial of service, or remote code execution. The exploit works across Windows and Linux on Node.js and Bun runtimes.

Swiper version 12.1.2 addresses the issue. The GitHub security advisory (GHSA-hmx5-qpq5-p643), release notes for v12.1.2, and fixing commit (d3e663322a13043ca63aaba235d8cf3900e0c8cf) provide details on the patch and recommend upgrading immediately. This corresponds to CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes).

Details

CWE(s): CWE-1321

Affected Products

swiperjs

swiper

6.5.1 — 12.1.2

CVEs Like This One

CVE-2026-33696Shared CWE-1321

CVE-2025-70956Shared CWE-1321

CVE-2026-25047Shared CWE-1321

CVE-2024-57065Shared CWE-1321

CVE-2024-57071Shared CWE-1321

CVE-2024-57063Shared CWE-1321

CVE-2024-57084Shared CWE-1321

CVE-2024-57086Shared CWE-1321

CVE-2026-32886Shared CWE-1321

CVE-2025-57350Shared CWE-1321

References

https://github.com/nolimits4web/swiper/commit/d3e663322a13043ca63aaba235d8cf3900e0c8cf
Patch · security-advisories@github.com
https://github.com/nolimits4web/swiper/releases/tag/v12.1.2
Product · security-advisories@github.com
https://github.com/nolimits4web/swiper/security/advisories/GHSA-hmx5-qpq5-p643
Exploit, Vendor Advisory · security-advisories@github.com