Home / Vulnerability Intelligence / CVE-2026-33228

CVE-2026-33228 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 23, 2026

flatted - Prototype Pollution

Published: March 20, 2026Updated: March 23, 2026PoC AvailableRemote Exploitable

Overview

flatted < 3.4.2 contains a prototype pollution caused by improper validation of array index keys in parse() function, letting attackers leak and modify Array.prototype, exploit requires crafted JSON input.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can pollute the global prototype, leading to potential application logic corruption or security bypass.

Mitigation

Update to version 3.4.2 or later.

References

https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802
https://github.com/WebReflection/flatted/releases/tag/v3.4.2
https://github.com/WebReflection/flatted/security/advisories/GHSA-rf6f-7fwh-wjgh

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33228
Severity: Critical
CVSS Score: 9.8
Type: prototype_pollution
Status: confirmed

CWE

CWE-1321

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H