Home > Vulnerability Database > CVE-2026-24888

Mend.io Vulnerability Database

CVE-2026-24888

Good to know:

Date: January 28, 2026

Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the "makerjs.extendObject" function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks "hasOwnProperty()" checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2.

Severity Score

6.5

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-24888

Url: https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8

Url: https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241

Url: https://github.com/microsoft/maker.js

Url: https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx

Url: https://www.mend.io/vulnerability-database/CVE-2026-24888

Severity Score

6.5

Weakness Type (CWE)

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321

Top Fix

Upgrade Version

Upgrade to version makerjs - 0.19.2;makerjs - 0.19.2

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-24888

Good to know:

Date: January 28, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?