Zifeng Kang

**Name of the Vulnerable Software and Affected Versions** Vue versions 2.0 through 3.0 **Description** A vulnerability has been discovered that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as `Object.prototype.staticClass` or `Object.prototype.staticStyle` to execute arbitrary JavaScript code. **Recommendations** For versions 2.0 through 3.0, update to a version where the vulnerability has been patched, as this issue has been resolved in Vue 3. As a temporary workaround, consider restricting the modification of the prototype chain for properties like `Object.prototype.staticClass` and `Object.prototype.staticStyle` until a patch is applied.