216.73.217.145

CVE-2026-46510

· Published 29/05/2026 14:16 · Modified 29/05/2026 14:16

Labels: CVE-2026-46510 2026-05-29CVE-2026-46510CWE-1321[email protected]

Essential information

Published
29/05/2026 14:16
Modified
29/05/2026 14:16
Author
Creator
CVSS
8.2 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CVSS metrics

Description

form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process. This vulnerability is fixed in 1.0.1.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
form-data-objectizer / form-data-objectizer cpe:2.3:a:form-data-objectizer:form-data-objectizer:<1.0.1:*:*:*:*:*:*:*
form-data-objectizer / form-data-objectizer cpe:2.3:a:form-data-objectizer:form-data-objectizer:1.0.1:*:*:*:*:*:*:*

References