Debian · Libjs-Spin.Js · CVE-2026-3884
**Name of the Vulnerable Software and Affected Versions**
spin.js versions prior to 3.0.0
**Description**
The software is susceptible to Cross-site Scripting (XSS) through the `spin()` function. This allows an attacker to create multiple alerts for each 'target' element. Exploitation requires prototype pollution, achieved by setting an arbitrary key-value pair on `Object.prototype` via a crafted URL, enabling the execution of arbitrary JavaScript in the user's browser context.
**Recommendations**
Update to spin.js version 3.0.0 or later.