CVE-2026-15699

Source
https://cve.org/CVERecord?id=CVE-2026-15699
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15699.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-15699
Published
2026-07-14T15:45:08.286Z
Modified
2026-07-16T03:48:17.327749976Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
spencermountain compromise Public Root API extend.js nlp.extend prototype pollution
Details

A vulnerability was identified in spencermountain compromise up to 14.15.1. Affected is the function nlp.extend of the file src/API/extend.js of the component Public Root API. The manipulation of the argument plugin leads to improperly controlled modification of object prototype attributes. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is b4644ab7179700df0607521f61c1ee9b5f78d89d. Applying a patch is the recommended action to fix this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Database specific
{
    "cwe_ids": [
        "CWE-1321",
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15699.json",
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/spencermountain/compromise

Affected ranges

Type
GIT
Repo
https://github.com/spencermountain/compromise
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "14.15.0"
        },
        {
            "last_affected": "14.15.0"
        },
        {
            "introduced": "14.15.1"
        },
        {
            "last_affected": "14.15.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

14.*
14.15.0
14.15.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15699.json"