DEBIAN-CVE-2020-7746

DEBIAN-CVE-2020-7746 PUBLISHED CVSS 9.800000190734863 CRITICAL

This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.

Risk Scores

CVSS 3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:12	node-chart.js	0, 0, 0
Debian:13	node-chart.js	0, 0, 0
Debian:14	node-chart.js	0, 0, 0
Debian:11	node-chart.js	0, 0, 0

Exploit Intelligence

zap.html (github-poc)
RQ5.html (github-poc)

Timeline

Oct 29, 2020 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2020-7746 advisory

Open in Interactive Console →