Cyber Resilience

CVE-2026-44483

High

Published: 27 May 2026

Published
27 May 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0027 18.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-44483 is a high-severity Prototype Pollution (CWE-1321) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

RVF (formerly Remix Validated Form) provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the…

more

keys __proto__, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData / validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on Object.prototype of the running server process. This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator is affected. This vulnerability is fixed in 6.0.4 and 7.0.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct prototype pollution in public-facing Remix/React Router form endpoints (parseFormData/createValidator) enables remote exploitation of the server process via crafted form submissions.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29063Shared CWE-1321
CVE-2026-24888Shared CWE-1321
CVE-2026-28794Shared CWE-1321
CVE-2026-45302Shared CWE-1321
CVE-2026-8657Shared CWE-1321
CVE-2025-61140Shared CWE-1321
CVE-2024-57077Shared CWE-1321
CVE-2026-34221Shared CWE-1321
CVE-2026-35209Shared CWE-1321
CVE-2026-33994Shared CWE-1321

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References