Prototype Pollution in Webreflection Flatted

CVE-2026-33228

flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the inter…

Vulnerability class: Prototype Pollution

EPSS: 0.001 (21.5th percentile) — read the EPSS interpretation.

Affected products

Webreflection Flatted — versions < 3.4.2

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

https://github.com/WebReflection/flatted/security/advisories/GHSA-rf6f-7fwh-wjgh (x_refsource_CONFIRM)
https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802 (x_refsource_MISC)
https://github.com/WebReflection/flatted/releases/tag/v3.4.2 (x_refsource_MISC)