Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-33863 is a low severity vulnerability with a CVSS score of 0.0. No known public exploits at this time.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
Two unguarded prototype pollution paths exist, not covered by previous fixes:
config.load() / config.loadFile() — overlay() recursively merges config data without checking for forbidden keys. Input containing __proto__ or constructor.prototype (e.g. from a JSON file) causes the recursion to reach Object.prototype and write attacker-controlled values onto it.constructor.prototype.* keys to convict({...}) causes default-value propagation to write directly to Object.prototype at startup.Depending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE.
Do not pass untrusted data to load(), loadFile(), or convict().
Prior advisory: GHSA-44fc-8fm5-q62h Related issue: https://github.com/mozilla/node-convict/issues/423
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.