PT-2026-39894

Name of the Vulnerable Software and Affected Versions RVF versions 6.0.0 through 6.0.3 RVF versions 7.0.0 through 7.0.1 Description The setPath function in @rvf/set-get used by @rvf/core to flatten incoming form data into a nested object fails to block the keys proto , constructor, or prototype...

Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

Impact We received a report about a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL...