// wall of bugs caught

10 critical bugs
PullLight would have caught in your PRs.

Every card below is a real bug flagged during PR review — CVEs, CWEs, before/after code. No competitors have a page like this. Try it on your own PR →

13
Total catches
10
Critical
3
High
10
CVSS ≥ 9
5
Languages
Severity:
All Critical High Medium
| Language:
All JavaScript TypeScript Python Java PHP Rust Go
Sort by: Highest CVSS Newest Oldest
critical # auth-bypass TypeScript CVE-2026-1774
Prototype Pollution → Authorization Bypass in CASL
@casl/ability's rule-building path merges attacker-controlled condition objects without sanitizing prototype keys — pollutes Object.prototype, causing all subsequent ability checks to return true.
Before / after code snippet
Before (vulnerable)
// BEFORE (vulnerable)
// Attacker payload: { "__proto__": { "can": true } }
ability.update(attackerConditions);
ability.can('delete', 'Post'); // returns true for all users!
After (fixed)
// AFTER (fixed)
import { freeze } from '@casl/ability';
ability.update(freeze(attackerConditions));
CVSS 9.8 CWE-1321 Feb 2026 View walkthrough →
Browse full case studies with diffs & analysis →
Install in 60 seconds — free for OSS. Watch PullLight flag bugs like these in your PRs.
Install on GitHub →