Product
The `scim-patch` Node.js library, versions up to and including 0.9.0, is critically vulnerable to prototype pollution (CVE-2026-48170) when processing SCIM PATCH operations, allowing an attacker to modify `Object.prototype` process-wide through crafted `__proto__` keys in the request body, leading to potential privilege escalation or denial of service.