{"id":"CVE-2019-10746","details":"mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.","aliases":["GHSA-fhjf-83wg-r2j9"],"modified":"2026-02-23T08:15:24.400470Z","published":"2019-08-23T17:15:13.340Z","related":["ALSA-2021:0549","SNYK-JS-MIXINDEEP-450212"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC/"},{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212"},{"type":"ADVISORY","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jonschlinkert/mixin-deep","events":[{"introduced":"0"},{"fixed":"754f0c20e1bc13ea5a21a64fbc7d6ba5f7b359b9"}]}],"versions":["1.0.1","1.1.0","1.1.2","1.1.3","1.2.0","1.3.0","1.3.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10746.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}