lowCVE-2026-15187

enquirer Public Package API Prototype Pollution Vulnerability

A security flaw has been discovered in enquirer up to 2.4.1. Affected is the function Enquirer.set of the component Public Package API. The manipulation of the argument question.name results in improperly controlled modification of object prototype attributes. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report.

Productenquirer
CVSS2.1
EPSSNot scored yet
UpdatedJuly 9, 2026

Quick answer

enquirer should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • enquirer up to 2.4.1

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

The enquirer npm package is affected by a prototype pollution style issue in Enquirer.set through question.name. Update or replace affected enquirer versions and validate untrusted prompt definitions before passing them to the public package API. This is most relevant in build tools, CLIs, and services that accept prompt configuration from users or external packages.

  1. Inventory projects, CLIs, build tools, and scripts that depend on enquirer up to 2.4.1.
  2. Update enquirer to a fixed version when available or replace it with a maintained alternative if no fix is published.
  3. Regenerate lockfiles and redeploy applications from a clean dependency tree.
  4. Do not pass untrusted question.name values or external prompt definitions directly into Enquirer.set.
  5. Add validation that blocks prototype keys such as __proto__, prototype, and constructor in prompt names.
  6. Review CI logs, build scripts, and CLI execution paths for untrusted prompt input.
  7. Rotate package registry, CI, and deployment tokens if the affected package executed in a sensitive build environment.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm dependency scans no longer flag CVE-2026-15187 for deployed projects.
  • Validate crafted prompt names cannot modify Object.prototype or application prototypes.
  • Review lockfiles to ensure affected enquirer versions are removed or isolated.
  • Run CLI and build workflow tests after dependency changes.
  • Run a Fixnx scan against deployed sites rebuilt from the cleaned dependency tree.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-15187?

enquirer versions listed as affected should be reviewed: enquirer up to 2.4.1.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.