CVE-2026-6594 — Deep Merge is Vulnerable to Prototype Pollution Through Lack of Sanitization

Description

A Prototype Pollution vulnerability was determined in brikcss merge up to 1.3.0. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.

How to fix CVE-2026-6594

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2026-6594 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.3.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-6594
PATCHgithub.com/brikcss/merge
WEBgithub.com/sudo-secure/security-research/blob/main/brikcss-merge/prototype-pollution/PoC.md
WEBvuldb.com/submit/791805
WEB