CVE-2026-3884

Name of the Vulnerable Software and Affected Versions spin.js versions prior to 3.0.0

Description The software is susceptible to Cross-site Scripting (XSS) through the spin() function. This allows an attacker to create multiple alerts for each 'target' element. Exploitation requires prototype pollution, achieved by setting an arbitrary key-value pair on Object.prototype via a crafted URL, enabling the execution of arbitrary JavaScript in the user's browser context.

Recommendations Update to spin.js version 3.0.0 or later.