The package linux-cmdline before 1.0.1 are vulnerable to Prototype Pollution via the constructor.

All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function.

All versions of package templ8 are vulnerable to Prototype Pollution via the parse function.

All versions of phpjs are vulnerable to Prototype Pollution via parse_str.

madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue.

This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution.

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the web site (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. This has been fixed in 9.5.17 and 10.4.2.