diff --git a/lib/jsdoc/ui5/template/publish.js b/lib/jsdoc/ui5/template/publish.js
index 67e7011a3f4e..3922616c37f0 100644
--- a/lib/jsdoc/ui5/template/publish.js
+++ b/lib/jsdoc/ui5/template/publish.js
@@ -89,6 +89,10 @@ function merge(target, source) {
 	if ( source != null ) {
 		// simple single source merge
 		Object.keys(source).forEach((prop) => {
+			// guarding against prototype pollution. (https://codeql.github.com/codeql-query-help/javascript/js-prototype-pollution-utility/#example)
+			if (prop === "__proto__" || prop === "constructor") {
+				return;
+			}
 			const value = source[prop];
 			if ( value != null && value.constructor === Object ) {
 				merge(target[prop] || {}, value);