HIGH
airjp73
CVE published 2026-05-27
CVE-2026-44483
## Summary A prototype pollution vulnerability in RVF (Remix Validated Form) allows attackers to pollute Object.prototype by submitting crafted form data with keys like `__proto__`, `constructor`, or `prototype`. The `setPath` function in `@rvf/set-get` fails to block these dangerous keys when flattening form data, enabling arbitrary property injection on the server. This is default-reachable: any endpoin [truncated]