Skip to content

Potential prototype pollution vulnerability in the DisplayLayoutToolbar plugin #8232

New issue
New issue
Open
Open
Potential prototype pollution vulnerability in the DisplayLayoutToolbar plugin#8232
Labels
severity:trivialtype:bug
@akhenry

Description

@akhenry
akhenry
opened on Jan 13, 2026

Originally reported by @RinZ27 (thanks!)

Summary

Potential prototype pollution vulnerability in the DisplayLayoutToolbar plugin. The #getPropertyFromPath method is traversing object paths without validating keys, which could allow sensitive properties like proto or constructor to be accessed.

No potential for prototype pollution has been identified.

Impact Check List

  • Data loss or misrepresented data?
  • Regression? Did this used to work or has it always been broken?
  • Is there a workaround available?
  • Does this impact a critical component?
  • Is this just a visual bug with no functional impact?
  • Does this block the execution of e2e tests?
  • Does this have an impact on Performance?

Metadata

Metadata

Assignees

No one assigned

    Labels

    severity:trivialtype:bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions