A vulnerability was found in RobinHerbots Inputmask up to 5.0.9 and classified as critical. Affected by this issue is the function extendDefaults/extendDefinitions/extendAliases in the library lib/dependencyLibs/extend.js of the component Internal Deep Merge Helper. The manipulation results in improperly controlled modification of object prototype attributes.

This vulnerability was named CVE-2026-16150. The attack may be performed from remote. There is no available exploit.

The project was informed of the problem early through an issue report but has not responded yet.