CVE-2026-27212: Prototype pollution in swiper
(updated )
A prototype pollution vulnerability exists in the the npm package swiper (>=6.5.1, < 12.1.2). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. This issue is fixed in version 12.1.2
References
- github.com/advisories/GHSA-hmx5-qpq5-p643
- github.com/nolimits4web/swiper
- github.com/nolimits4web/swiper/commit/d3e663322a13043ca63aaba235d8cf3900e0c8cf
- github.com/nolimits4web/swiper/releases/tag/v12.1.2
- github.com/nolimits4web/swiper/security/advisories/GHSA-hmx5-qpq5-p643
- nvd.nist.gov/vuln/detail/CVE-2026-27212
Code Behaviors & Features
Detect and mitigate CVE-2026-27212 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →