CVE-2026-46510

Published: Mag 29, 2026 Last Modified: Mag 29, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,2

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: high

Availability: low

Description

AI Translation Available

form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process. This vulnerability is fixed in 1.0.1.

1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Incomplete

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability

Potential Impacts:

Read Application Data Modify Application Data Dos: Crash, Exit, Or Restart

Applicable Platforms

Languages: JavaScript

View CWE Details

https://github.com/kaspernj/form-data-objectizer/commit/7c5…

https://github.com/kaspernj/form-data-objectizer/commit/7c54b99408e6e9cd6533b72…

https://github.com/kaspernj/form-data-objectizer/security/a…

https://github.com/kaspernj/form-data-objectizer/security/advisories/GHSA-m2hg-…

CVE-2026-46510

Description

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Common Consequences

Applicable Platforms

Iscriviti alla newsletter