Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.0
spin.js Versions Before 3.0.0 Allow Malicious Website Attacks
CVE-2026-3884
Summary
Using older versions of spin.js, attackers can inject malicious code into a website, potentially allowing them to steal user data or take control of the site. This affects websites that use spin.js before version 3.0.0. To protect your site, update to the latest version of spin.js.
Original title
Versions of the package spin.js before 3.0.0 are vulnerable to Cross-site Scripting (XSS) via the spin() function that allows a creation of more than 1 alert for each 'target' element. An attacker ...
Original description
Versions of the package spin.js before 3.0.0 are vulnerable to Cross-site Scripting (XSS) via the spin() function that allows a creation of more than 1 alert for each 'target' element. An attacker would need to set an arbitrary key-value pair on Object.prototype through a crafted URL achieving a prototype pollution first, before being able to execute arbitrary JavaScript in the context of the user's browser.
nvd CVSS3.1
6.1
nvd CVSS4.0
2.0
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026