Prototype Pollution Vulnerability in RVF Library Used by React
CVE-2026-44483

8.2HIGH

Key Information:

Vendor: Airjp73
Status: Rvf; Set-get
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-44483?

The RVF (Remix Validated Form) library, essential for managing form validation within React applications, is susceptible to a prototype pollution vulnerability. This issue arises from the setPath function in @rvf/set-get, which fails to restrict keys such as proto, constructor, and prototype when navigating through incoming form data. As a result, an attacker can exploit this flaw by submitting crafted form inputs to a server using the library, allowing them to manipulate Object.prototype properties on the server process. This security risk highlights the importance of ensuring form data is appropriately sanitized, particularly when using endpoints that utilize parseFormData or createValidator methods. The vulnerability is addressed in versions 6.0.4 and 7.0.2.

Affected Version(s)

rvf >= 7.0.0, < 7.0.2 < 7.0.0, 7.0.2

rvf >= 6.0.0, < 6.0.4 < 6.0.0, 6.0.4

set-get >= 7.0.0, < 7.0.2 < 7.0.0, 7.0.2

References

https://github.com/airjp73/rvf/security/advisories/GHSA-c...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44483 Data

JSON

Airjp73

What is CVE-2026-44483?

Affected Version(s)

References

CVSS V3.1

Timeline