Product
The `@rvf/set-get` library, used by `@rvf/core`, is vulnerable to prototype pollution via form data processing; the `setPath` function does not block the keys `__proto__`, `constructor`, or `prototype` when walking a path, allowing attackers to set arbitrary properties on `Object.prototype` of the running server process via HTTP form submissions (CVE-2026-44483).