EXECUTIVE SUMMARY:
CVE-2026-44483, with a CVSS score of 8.2, describes a high-severity prototype pollution vulnerability in the npm package @rvf/set-get. The issue arises because the packages deepMerge()-style logic does not properly sanitize or restrict object keys, allowing an attacker to inject specially crafted properties that pollute the global Object.prototype. When this library is used indirectly through @rvf/core during form preprocessing, an attacker can influence application behavior by modifying inherited object properties, potentially leading to data corruption, logic bypass, or further exploitation in dependent applications. The vulnerability is classified as reachable through normal HTTP form-data processing and is fixed in patched versions of the affected package.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44483, with a CVSS score of 8.2, describes a high-severity prototype pollution vulnerability in the npm package @rvf/set-get. The issue arises because the packages deepMerge()-style logic does not properly sanitize or restrict object keys, allowing an attacker to inject specially crafted properties that pollute the global Object.prototype. When this library is used indirectly through @rvf/core during form preprocessing, an attacker can influence application behavior by modifying inherited object properties, potentially leading to data corruption, logic bypass, or further exploitation in dependent applications. The vulnerability is classified as reachable through normal HTTP form-data processing and is fixed in patched versions of the affected package.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
[/emaillocker]