set-in_project CVE Vulnerabilities & Metrics

Focus on set-in_project vulnerabilities and metrics.

Last updated: 15 Feb 2026, 23:25 UTC

About set-in_project Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with set-in_project. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total set-in_project CVEs: 3
Earliest CVE date: 02 Dec 2020, 15:15 UTC
Latest CVE date: 11 Feb 2026, 22:15 UTC

Latest CVE reference: CVE-2026-26021

Rolling Stats

30-day Count (Rolling): 1
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical set-in_project CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.0

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	1
4.0-6.9	0
7.0-8.9	2
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS set-in_project CVEs

These are the five CVEs with the highest CVSS scores for set-in_project, sorted by severity first and recency.

CVE-2022-25354 set-in_project Published on 17 Mar 2022, 12:15 UTC (CVSS: 7.5)
The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049)
CVE-2020-28273 set-in_project Published on 02 Dec 2020, 15:15 UTC (CVSS: 7.5)
Prototype pollution vulnerability in 'set-in' versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution.
CVE-2026-26021 set-in_project Published on 11 Feb 2026, 22:15 UTC (CVSS: 0)
set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. T...

All CVEs for set-in_project

CVE-2026-26021 set-in_project vulnerability CVSS: 0 11 Feb 2026, 22:15 UTC

set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.

CVE-2022-25354 set-in_project vulnerability CVSS: 7.5 17 Mar 2022, 12:15 UTC

The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049)

CVE-2020-28273 set-in_project vulnerability CVSS: 7.5 02 Dec 2020, 15:15 UTC

Prototype pollution vulnerability in 'set-in' versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution.