Prototype Pollution via __proto__ in flatted prior to 3.4.2
CVE-2026-33228 Published on March 20, 2026

flatted: Prototype Pollution via parse()
flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.

NVD

Vulnerability Analysis

CVE-2026-33228 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is a Prototype Pollution Vulnerability?

The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

CVE-2026-33228 has been classified to as a Prototype Pollution vulnerability or weakness.

What is a Mass Assignment Vulnerability?

The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

CVE-2026-33228 has been classified to as a Mass Assignment vulnerability or weakness.


Products Associated with CVE-2026-33228

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Rhdh
 
Red Hat 3scale Amp
 
Red Hat Build Keycloak
 
Red Hat Single Sign On
 
Red Hat Cryostat
 
Red Hat Logging
 
Red Hat Multicluster Engine
 
Red Hat Acm
 
Red Hat Amq Broker
 
Red Hat Service Registry
 
Red Hat Optaplanner
 
Red Hat Podman Desktop
 
Red Hat Jboss Data Grid
 
Red Hat Directory Server
 
Red Hat Enterprise Linux (RHEL)
 
Red Hat Jboss Fuse
 
Red Hat Jboss Enterprise Application Platform
 
Red Hat Jbosseapxp
 
Red Hat Openshift Ai
 
Red Hat Openshift
 
Red Hat Jboss Enterprise Bpms Platform
 
Red Hat Quay
 
Red Hat Amq Streams
 

Affected Versions

WebReflection flatted: Red Hat Developer Hub 1.8: Red Hat Developer Hub 1.9: Red Hat 3scale API Management Platform 2: Red Hat Build of Keycloak: Red Hat Single Sign-On 7: Red Hat Cryostat 4: Logging Subsystem for Red Hat OpenShift: Red Hat Multicluster Engine for Kubernetes: Red Hat Advanced Cluster Management for Kubernetes 2: Red Hat AMQ Broker 7: Red Hat build of Apicurio Registry 2: Red Hat build of OptaPlanner 8: Red Hat Build of Podman Desktop: Red Hat Data Grid 8: Red Hat Directory Server 11: Red Hat Directory Server 12: Red Hat Directory Server 13: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Fuse 7: Red Hat JBoss Enterprise Application Platform 7: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform Expansion Pack: Red Hat OpenShift AI (RHOAI): Red Hat OpenShift Container Platform 4: Red Hat Process Automation 7: Red Hat Quay 3: Red Hat streams for Apache Kafka 2: Red Hat streams for Apache Kafka 3:

Exploit Probability

EPSS
0.61%
Percentile
44.61%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.