Export CSV

Products

1 vendor
VendorProductsCVEsKEVAvg EPSSWorst Severity
12045.2%HIGH

Related CVEs

2
CVE IDDescriptionSeverityCVSSKEVEPSSPublished
CVE-2026-33228flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.HIGH8.948.7%Mar 20, 2026
CVE-2026-32141flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.HIGH7.541.8%Mar 12, 2026