CVE-2026-33228

Flatted (JSON circular parser) is affected. Prior to 3.4.2, its parse() could treat attacker-controlled string values as direct array index keys, and using the key proto on the internal Array could expose Array.prototype to the output, enabling prototype pollution. The issue has been patched in v...

CVE-2026-32141

The CVE concerns the flatted library (circular JSON parser). Before version 3.4.0, flatted.parse() uses a recursive revive() phase to resolve circular references; crafted payloads with deeply nested or self-referential $ indices can cause unbounded recursion, leading to a stack overflow that cras...