CVE-2026-15699 | spencermountain compromise up to 14.15.1 Public Root API src/API/extend.js nlp.extend plugin prototype pollution (Issue 1208)
A vulnerability was found in spencermountain compromise up to 14.15.1. It has been rated as critical. Affected is the function nlp.extend of the file src/API/extend.js of the component Public Root API. The manipulation of the argument plugin leads to improperly controlled modification of object prototype attributes.
This vulnerability is referenced as CVE-2026-15699. Remote exploitation of the attack is possible. Furthermore, an exploit is available.
Applying a patch is the recommended action to fix this issue.
The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.