CVE-2026-48795 in AdonisJSinformation

Résumé

par MITRE • 16/07/2026

AdonisJS is a TypeScript-first web framework. From 10.1.3 until 10.1.5 and 11.0.3, AdonisJS @adonisjs/bodyparser incompletely fixed CVE-2026-25754 because nested multipart field payloads such as user.__proto__.polluted and constructor.prototype still caused lodash _.set() via @poppinss/utils to create plain intermediate objects and pollute Object.prototype. This issue is fixed in versions 10.1.5 and 11.0.3.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Responsable

GitHub M

Réserver

22/05/2026

Divulgation

16/07/2026

Modérer

accepté

Entrée

VDB-379439

CPE

prêt

EPSS

0.00000

KEV

non

Activités

très faible

Sources

Do you need the next level of professionalism?

Upgrade your account now!