CVE-2026-48819 Hey API: `buildClientParams` template: prototype chain substitution via unknown `$<slot>___proto__` key
Hey API is an ecosystem for turning API specifications into production-ready code. Prior to 0.97.3, dist/clients/core/params.ts ships a runtime template copied into generated SDKs as params.gen.ts, and buildClientParams writes unknown slot-prefixed keys such as $body, $headers, $path, and $query...