CVE-2026-6594: Deep Merge is Vulnerable to Prototype Pollution Through Lack of Sanitization

April 20, 2026 (updated April 23, 2026)

A Prototype Pollution vulnerability was determined in brikcss merge up to 1.3.0. Executing a manipulation of the argument proto/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/advisories/GHSA-3jc6-6r48-v6qf
github.com/brikcss/merge
github.com/sudo-secure/security-research/blob/main/brikcss-merge/prototype-pollution/PoC.md
nvd.nist.gov/vuln/detail/CVE-2026-6594
vuldb.com/submit/791805
vuldb.com/vuln/358229
vuldb.com/vuln/358229/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-6594 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →