<Vulnerability name="CVE-2026-15697">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-14T15:15:09</PublicDate>
    <Bugzilla id="2500013" url="https://bugzilla.redhat.com/show_bug.cgi?id=2500013" xml:lang="en:us">
svg.js: svg.js: Remote object prototype pollution
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>6.3</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-915</CWE>
    <Details xml:lang="en:us" source="Mitre">
A vulnerability was found in svgdotjs svg.js up to 3.2.5. This affects the function EventTarget.on of the file svgdotjs/svg.js of the component npm Package API. Performing a manipulation results in improperly controlled modification of object prototype attributes. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in svgdotjs svg.js. A remote attacker could exploit a vulnerability in the `EventTarget.on` function, which improperly controls modifications to object prototype attributes. This could allow an attacker to manipulate object properties, potentially leading to unintended behavior or data alteration within the application.
    </Details>
    <Statement xml:lang="en:us">
A Moderate severity prototype pollution flaw was identified in svg.js, affecting the console components of Red Hat Advanced Cluster Management for Kubernetes and Multicluster Engine for Kubernetes. This vulnerability allows an authenticated remote attacker to manipulate object properties through the `EventTarget.on` function, potentially leading to unintended behavior or data alteration within the application's console. The impact is limited to the console and requires prior authentication.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:multicluster_engine">
        <ProductName>Multicluster Engine for Kubernetes</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>multicluster-engine/console-mce-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:acm:2">
        <ProductName>Red Hat Advanced Cluster Management for Kubernetes 2</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhacm2/console-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-15697
https://nvd.nist.gov/vuln/detail/CVE-2026-15697
https://github.com/svgdotjs/svg.js/
https://github.com/svgdotjs/svg.js/issues/1343
https://vuldb.com/cve/CVE-2026-15697
https://vuldb.com/submit/856013
https://vuldb.com/vuln/378244
https://vuldb.com/vuln/378244/cti
    </References>
</Vulnerability>