Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-pmc7-wajy-juf8
Vulnerability ID VCID-pmc7-wajy-juf8
Aliases CVE-2021-44908
GHSA-8v3j-jfg3-v3fv
Summary Prototype Pollution in sails SailsJS Sails.js <=1.4.0 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules().
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00456 https://api.first.org/data/v1/epss?cve=CVE-2021-44908
epss 0.00456 https://api.first.org/data/v1/epss?cve=CVE-2021-44908
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-8v3j-jfg3-v3fv
cvssv3.1 9.8 https://github.com/balderdashy/sails
generic_textual CRITICAL https://github.com/balderdashy/sails
cvssv3.1 9.8 https://github.com/balderdashy/sails/blob/master/lib/app/private/controller/load-action-modules.js#L32
generic_textual CRITICAL https://github.com/balderdashy/sails/blob/master/lib/app/private/controller/load-action-modules.js#L32
cvssv3.1 9.8 https://github.com/balderdashy/sails/commit/7c5379a656bb305c958df1dcc2b51a9668830358
generic_textual CRITICAL https://github.com/balderdashy/sails/commit/7c5379a656bb305c958df1dcc2b51a9668830358
cvssv3.1 9.8 https://github.com/balderdashy/sails/issues/7209
generic_textual CRITICAL https://github.com/balderdashy/sails/issues/7209
cvssv3.1 9.8 https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/sailsJS%20PoC.zip
generic_textual CRITICAL https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/sailsJS%20PoC.zip
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2021-44908
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2021-44908
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2021-44908
https://github.com/balderdashy/sails
https://github.com/balderdashy/sails/blob/master/lib/app/private/controller/load-action-modules.js#L32
https://github.com/balderdashy/sails/commit/7c5379a656bb305c958df1dcc2b51a9668830358
https://github.com/balderdashy/sails/issues/7209
https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/sailsJS%20PoC.zip
CVE-2021-44908 https://nvd.nist.gov/vuln/detail/CVE-2021-44908
GHSA-8v3j-jfg3-v3fv https://github.com/advisories/GHSA-8v3j-jfg3-v3fv
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/balderdashy/sails
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/balderdashy/sails/blob/master/lib/app/private/controller/load-action-modules.js#L32
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/balderdashy/sails/commit/7c5379a656bb305c958df1dcc2b51a9668830358
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/balderdashy/sails/issues/7209
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/sailsJS%20PoC.zip
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-44908
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.64215
EPSS Score 0.00456
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:41:50.821515+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/sails/CVE-2021-44908.yml 38.6.0