diff --git a/CHANGES-WEBSPELLCHECKER.md b/CHANGES-WEBSPELLCHECKER.md
new file mode 100644
index 00000000..bf499254
--- /dev/null
+++ b/CHANGES-WEBSPELLCHECKER.md
@@ -0,0 +1,7 @@
+# WebSpellChecker changes for Rangy
+
+## 2026-06-17
+
+### Security
+
+- **CVE-2023-26102:** backported fixes for Prototype Pollution vulnerability in the [lib](https://github.com/timdown/rangy/commit/6671f0f18d93a306d6d46dfee2685fb915235eca) and [core](https://github.com/timdown/rangy/commit/874bf821d833f27be76962357ad9d076a2641efe) modules.
\ No newline at end of file
diff --git a/lib/rangy-core.js b/lib/rangy-core.js
index 69e95bfa..e599d2a7 100644
--- a/lib/rangy-core.js
+++ b/lib/rangy-core.js
@@ -158,6 +158,9 @@
         util.extend = extend = function(obj, props, deep) {
             var o, p;
             for (var i in props) {
+                if (i === "__proto__" || i === "constructor" || i === "prototype") {
+                    continue;
+                }
                 if (props.hasOwnProperty(i)) {
                     o = obj[i];
                     p = props[i];
@@ -3811,7 +3814,7 @@
             win = null;
         });
     });
-    
+
 
     /*----------------------------------------------------------------------------------------------------------------*/
 
diff --git a/src/core/core.js b/src/core/core.js
index 58086a36..b3e8e479 100644
--- a/src/core/core.js
+++ b/src/core/core.js
@@ -148,6 +148,9 @@
         util.extend = extend = function(obj, props, deep) {
             var o, p;
             for (var i in props) {
+                if (i === "__proto__" || i === "constructor" || i === "prototype") {
+                    continue;
+                }
                 if (props.hasOwnProperty(i)) {
                     o = obj[i];
                     p = props[i];