Cyber Resilience

CVE-2026-33228

HighPublic PoCUpdated

Published: 20 March 2026

Published
20 March 2026
Modified
27 June 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0061 44.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33228 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Webreflection Flatted. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33228 is a prototype pollution vulnerability in the flatted JavaScript library, a circular JSON parser, affecting versions prior to 3.4.2. The issue arises in the parse() function, which uses attacker-controlled string values from the parsed JSON as direct array index keys without validating that they are numeric. When the internal input buffer—a JavaScript Array—is accessed with the key "__proto__", it returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, leaking a live reference to Array.prototype to the consumer application.

An attacker can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required, as indicated by the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By crafting a malicious JSON string containing "__proto__" as a key, the attacker tricks the parser into polluting the prototype chain. If the consuming code subsequently writes properties to this leaked reference, it modifies the global Array.prototype, potentially leading to remote code execution, denial of service, or arbitrary code manipulation depending on the application's logic and further exploitation chains.

The vulnerability, classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), has been patched in flatted version 3.4.2. Security practitioners should upgrade to this version or later. Relevant resources include the patch commit at https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802, the release announcement at https://github.com/WebReflection/flatted/releases/tag/v3.4.2, and the GitHub security advisory at https://github.com/WebReflection/flatted/security/advisories/GHSA-rf6f-7fwh-wjgh.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer…

more

is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

CVE enables remote unauthenticated exploitation of public-facing apps (T1190) via crafted JSON leading to prototype pollution and RCE in JS runtimes (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32141Same product: Webreflection Flatted
CVE-2026-25881Shared CWE-1321
CVE-2026-40897Shared CWE-915
CVE-2024-24292Shared CWE-1321
CVE-2026-25754Shared CWE-1321
CVE-2026-44966Shared CWE-1321
CVE-2024-38985Shared CWE-1321
CVE-2026-26021Shared CWE-1321
CVE-2026-25521Shared CWE-1321, CWE-915
CVE-2026-6621Shared CWE-1321

Affected Assets

webreflection
flatted
≤ 3.4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of attacker-controlled JSON string keys to ensure they are numeric before using as array indices, directly preventing the prototype pollution via '__proto__'.

prevent

Mandates timely identification, reporting, and correction of flaws by upgrading flatted to version 3.4.2 or later, which patches the vulnerability.

detect

Provides vulnerability scanning to identify systems using vulnerable versions of the flatted library affected by this CVE.

References