diff --git a/libs/services/src/rss-xml/rssxml.service.ts b/libs/services/src/rss-xml/rssxml.service.ts
index d88819a8..7ba19ec0 100644
--- a/libs/services/src/rss-xml/rssxml.service.ts
+++ b/libs/services/src/rss-xml/rssxml.service.ts
@@ -498,6 +498,12 @@ export class RSSXMLService {
   }
 
   async setValue(obj: Record<string, any>, path: string[], value: any, attributes?: any): Promise<void> {
+    // Validate path to prevent prototype pollution
+    const forbiddenKeys = ['__proto__', 'constructor', 'prototype'];
+    if (path.some(key => forbiddenKeys.includes(key))) {
+      throw new Error('Invalid path: contains forbidden keys');
+    }
+
     let current = obj;
 
     // Navigate to parent