CVE-2026-26021

Name of the Vulnerable Software and Affected Versions set-in versions 2.0.1 through 2.0.4

Description set-in is a Node.js package that sets values within nested associative structures given an array of keys. A flaw exists where, despite a previous attempt to prevent prototype pollution by checking for forbidden keys, it remains possible to pollute Object.prototype using a crafted input leveraging Array.prototype. The issue resides in the includes() function used to validate user input. A proof-of-concept demonstrates bypassing the intended protection by redefining Array.prototype.includes to always return false, allowing the injection of a property named polluted into Object.prototype. This could potentially lead to authentication bypass, denial of service, or remote code execution if the polluted property is passed to vulnerable sinks.

Recommendations set-in versions 2.0.1 through 2.0.4 should be updated to version 2.0.5.