CVE-2026-48795
Received
Received - Intake
Prototype Pollution in AdonisJS Bodyparser
Vulnerability report for CVE-2026-48795, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-15
Last updated on: 2026-07-15
Assigner: GitHub, Inc.
Description
Description
AdonisJS is a TypeScript-first web framework. From 10.1.3 until 10.1.5 and 11.0.3, AdonisJS @adonisjs/bodyparser incompletely fixed CVE-2026-25754 because nested multipart field payloads such as user.__proto__.polluted and constructor.prototype still caused lodash _.set() via @poppinss/utils to create plain intermediate objects and pollute Object.prototype. This issue is fixed in versions 10.1.5 and 11.0.3.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adonisjs | bodyparser | From 10.1.3 (inc) to 10.1.5 (inc) |
| adonisjs | bodyparser | 11.0.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |