diff --git a/lib/processors/jsdoc/lib/ui5/template/publish.cjs b/lib/processors/jsdoc/lib/ui5/template/publish.cjs
index f9348b2a9..c51626f64 100644
--- a/lib/processors/jsdoc/lib/ui5/template/publish.cjs
+++ b/lib/processors/jsdoc/lib/ui5/template/publish.cjs
@@ -89,6 +89,10 @@ function merge(target, source) {
 	if ( source != null ) {
 		// simple single source merge
 		Object.keys(source).forEach((prop) => {
+			// guarding against prototype pollution. (https://codeql.github.com/codeql-query-help/javascript/js-prototype-pollution-utility/#example)
+			if (prop === "__proto__" || prop === "constructor") {
+				return;
+			}
 			const value = source[prop];
 			if ( value != null && value.constructor === Object ) {
 				merge(target[prop] || {}, value);