cvedb.io
CVE-2026-3884
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2026-03-11T06:17:15.183 · Last modified 2026-06-17T10:44:22.803

Summary

Versions of the package spin.js before 3.0.0 are vulnerable to Cross-site Scripting (XSS) via the spin() function that allows a creation of more than 1 alert for each 'target' element. An attacker would need to set an arbitrary key-value pair on Object.prototype through a crafted URL achieving a prototype pollution first, before being able to execute arbitrary JavaScript in the context of the user's browser.

Affected products

spin.js — spin.js

Does this affect you?

Add your gear to cvedb and we'll alert you only when spin.js ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.