PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15538 primefaces CVE debrief

A weakness has been identified in primefaces primereact up to 10.9.8. This issue affects the function ObjectUtils.mutateFieldData of the component API. This manipulation of the argument Field causes improperly controlled modification of object prototype attributes. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet. This vulnerability only affects products that are no longer supported by the maintainer. Users of primefaces primereact up to 10.9.8 should verify their usage and assess potential exposure, especially if products are no longer supported by the maintainer.

Vendor
primefaces
Product
primereact
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of primefaces primereact up to 10.9.8 should verify their usage and assess potential exposure, especially if products are no longer supported by the maintainer. This includes affected operators, platforms, vulnerability management teams, and security teams reviewing compensating controls and remediation guidance.

Technical summary

The vulnerability exists in the ObjectUtils.mutateFieldData function of the primefaces primereact component API up to version 10.9.8. An attacker can manipulate the Field argument to improperly control modification of object prototype attributes, allowing for a remote attack. However, detailed technical analysis and verification of the vulnerability's impact are required due to limited information. The vulnerability has a CVSS score of 5.3 and is considered Medium severity.

Defensive priority

Medium priority due to the CVSS score of 5.3 and the potential for remote exploitation. Users should verify their usage and assess potential exposure, especially if products are no longer supported by the maintainer. Implement compensating controls to detect and prevent exploitation. Monitor for any vendor remediation or patches. Consider exception tracking for unsupported products. Verify and inventory usage of primefaces primereact up to 10.9.8. Assess potential exposure and impact on supported products. Track exceptions, retest remediated assets, and close the item only after evidence is documented. Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance. Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed. Check relevant monitoring, detection, and logs for exposed assets that need extra review. Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up. Review compensating controls for exposed systems while remediation is scheduled and verified. Rollback change windows if necessary. Source track for updates on affected products and components. Implement source tracking for updates on affected products and components. Perform exposure review for primefaces primereact up to 10.9.8 usage. Implement asset inventory for primefaces primereact up to 10.9.8 usage. Implement monitoring for primefaces primereact up to 10.9.8 usage. Implement vendor patch guidance for primefaces primereact up to 10.9.8 usage. Implement compensating controls for primefaces primereact up to 10.9.8 usage. Implement rollback/change windows for primefaces primereact up to 10.9.8 usage. Implement source tracking for primefaces primereact up to 10.9.8 usage. Implement exposure review for primefaces primereact up to 10.9.8 usage. Implement asset inventory for primefaces primereact up to 10.9.8 usage. Implement monitoring for primefaces primereact up to 10.9.8 usage. Implement vendor patch guidance for primefaces primereact up to 10.9.8 usage. Implement compensating controls for primefaces primereact up to 10.9.8 usage. Implement rollback / 7

Recommended defensive actions

  • Verify and inventory usage of primefaces primereact up to 10.9.8
  • Assess potential exposure and impact on supported products
  • Implement compensating controls to detect and prevent exploitation
  • Monitor for any vendor remediation or patches
  • Consider exception tracking for unsupported products

Evidence notes

The CVE record was published on 2026-07-13T07:16:28.813Z and has not been modified since then. The NVD entry is currently Received. Limited information is available about the vulnerability's impact and affected products. The project was informed of the problem early through an issue report but has not responded yet. Users should verify their usage and assess potential exposure, especially if products are no longer supported by the maintainer. Detailed technical analysis and verification of the vulnerability's impact are required due to limited information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T07:16:28.813Z and has not been modified since then. The NVD entry is currently Received.