CVE-2026-27212

Name of the Vulnerable Software and Affected Versions Swiper versions 6.5.1 through 12.1.1

Description Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. A prototype pollution issue exists in the shared/utils.mjs file, specifically at line 94, where the indexOf() function is used to validate user-provided input. Despite a prior attempt to address prototype pollution by checking for forbidden keys, it remains possible to pollute Object.prototype using a crafted input leveraging Array.prototype. This issue impacts Windows and Linux systems, as well as Node and Bun runtimes. Applications processing attacker-controlled input with this package may be susceptible to Authentication Bypass, Denial of Service, and Remote Code Execution (RCE).

Recommendations Update to version 12.1.2 to resolve this issue.