cbcvebase.
CVE-2026-31865
published 2026-03-18

CVE-2026-31865: Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an…

PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.23%
14.0th percentile
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. `__proto__`. This issue is patched in 1.4.27. As a workaround, use t.Cookie validation to enforce validation value and/or prevent iterable over cookie if possible.

Affected

2 ranges
VendorProductVersion rangeFixed in
elysiajselysia< 1.4.271.4.27
elysiajselysia>= 0 < 1.4.271.4.27
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.