PatchSiren cyber security CVE debrief
CVE-2026-33228 WebReflection CVE debrief
CVE-2026-33228 is a vulnerability in the Flatted circular JSON parser, which allows an attacker to pollute the global prototype by providing unvalidated string values as direct array index keys. This issue was patched in version 3.4.2. The vulnerability has a CVSS score of 8.9 and is considered HIGH severity. The CVE was published on March 20, 2026, and last modified on June 27, 2026. The vulnerability affects Flatted versions prior to 3.4.2.
- Vendor
- WebReflection
- Product
- flatted
- CVSS
- HIGH 8.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-20
- Original CVE updated
- 2026-06-27
- Advisory published
- 2026-03-20
- Advisory updated
- 2026-06-27
Who should care
Developers and administrators using the Flatted library in their applications should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 3.4.2 or later, and being cautious when parsing JSON data from untrusted sources. Additionally, users of Red Hat products may be affected, as indicated by the presence of Red Hat errata references.
Technical summary
The Flatted library is a circular JSON parser that is vulnerable to prototype pollution. The `parse()` function in Flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. This allows an attacker to access the internal input buffer as a JavaScript Array, and by using the key '__proto__', they can return Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype.
Defensive priority
High priority should be given to updating the Flatted library to version 3.4.2 or later. Additionally, defenders should be cautious when parsing JSON data from untrusted sources and consider implementing compensating controls to detect and prevent prototype pollution attacks.
Recommended defensive actions
- Update the Flatted library to version 3.4.2 or later
- Be cautious when parsing JSON data from untrusted sources
- Implement compensating controls to detect and prevent prototype pollution attacks
- Monitor for any suspicious activity related to JSON parsing
- Consider implementing additional security measures to protect against prototype pollution attacks
Evidence notes
The CVE-2026-33228 vulnerability was reported by an unknown source and patched by the vendor, WebReflection. The vulnerability has a CVSS score of 8.9 and is considered HIGH severity. The CVE was published on March 20, 2026, and last modified on June 27, 2026. Red Hat has also provided errata references for this vulnerability, indicating that some of their products may be affected.
Official resources
-
CVE-2026-33228 CVE record
CVE.org
-
CVE-2026-33228 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.