CVE-2026-48795
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
15/07/2026
Last modified:
16/07/2026
Description
AdonisJS is a TypeScript-first web framework. From 10.1.3 until 10.1.5 and 11.0.3, AdonisJS @adonisjs/bodyparser incompletely fixed CVE-2026-25754 because nested multipart field payloads such as user.__proto__.polluted and constructor.prototype still caused lodash _.set() via @poppinss/utils to create plain intermediate objects and pollute Object.prototype. This issue is fixed in versions 10.1.5 and 11.0.3.
Impact
Base Score 3.x
8.60
Severity 3.x
HIGH
References to Advisories, Solutions, and Tools
- https://github.com/adonisjs/bodyparser/commit/8a85eb0c2061b0caca10faedbfc2cf24b56cf9f6
- https://github.com/adonisjs/bodyparser/commit/aa96908f7b3f64c19e15d2d2d916b69137bdf469
- https://github.com/adonisjs/bodyparser/releases/tag/v10.1.5
- https://github.com/adonisjs/bodyparser/releases/tag/v11.0.3
- https://github.com/adonisjs/core/security/advisories/GHSA-qcm7-3vpr-hj5h



