216.73.216.133

CVE-2026-44483

· Published 27/05/2026 17:16 · Modified 27/05/2026 20:16

Labels: CVE-2026-44483 2026-05-27CVE-2026-44483CWE-1321[email protected]

Essential information

Published
27/05/2026 17:16
Modified
27/05/2026 20:16
Author
Creator
CVSS
8.2 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CVSS metrics

Description

RVF (formerly Remix Validated Form) provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the keys __proto__, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData / validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on Object.prototype of the running server process. This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator is affected. This vulnerability is fixed in 6.0.4 and 7.0.2.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
rvf / remix validated form cpe:2.3:a:rvf:remix_validated_form:6.0.0-6.0.4:*:*:*:*:*:*:*
rvf / remix validated form cpe:2.3:a:rvf:remix_validated_form:7.0.2:*:*:*:*:*:*:*

References