CVE-2026-31865
published 2026-03-18CVE-2026-31865: Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.23%
14.0th percentile
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. `__proto__`. This issue is patched in 1.4.27. As a workaround, use t.Cookie validation to enforce validation value and/or prevent iterable over cookie if possible.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elysiajs | elysia | < 1.4.27 | 1.4.27 |
| elysiajs | elysia | >= 0 < 1.4.27 | 1.4.27 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Elysia Cookie Value Prototype Pollution
osv·2026-03-17
CVE-2026-31865 [MEDIUM] Elysia Cookie Value Prototype Pollution
Elysia Cookie Value Prototype Pollution
### Impact
Elysia cookie can be overridden by prototype pollution , eg. `__proto__`
Sending cookie with the follows name can override cookie value:
```bash
__proto__=%7B%22injected%22%3A%22polluted%22%7D
```
### Patches
Patched by 1.4.27
### Workarounds
1. Use t.Cookie validation to enforce validation value
2. Prevent iterable over cookie if possible
GHSA
Elysia Cookie Value Prototype Pollution
ghsa·2026-03-17
CVE-2026-31865 [MEDIUM] CWE-1321 Elysia Cookie Value Prototype Pollution
Elysia Cookie Value Prototype Pollution
### Impact
Elysia cookie can be overridden by prototype pollution , eg. `__proto__`
Sending cookie with the follows name can override cookie value:
```bash
__proto__=%7B%22injected%22%3A%22polluted%22%7D
```
### Patches
Patched by 1.4.27
### Workarounds
1. Use t.Cookie validation to enforce validation value
2. Prevent iterable over cookie if possible
No detection rules found.
No public exploits indexed.
2026-03-18
Published