PT-2026-41696 · Git+2 · Form-Data-Objectizer

0Xbassia

·

Published

2026-05-18

·

Updated

2026-06-02

·

CVE-2026-46510

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Name of the Vulnerable Software and Affected Versions form-data-objectizer versions prior to 1.0.1
Description The software fails to filter proto, constructor, or prototype when converting FormData to objects using bracket-notation form keys. An attacker can submit a single HTTP form field with a name starting with proto [...] to mutate Object.prototype, leading to prototype pollution across the entire Node.js process. This occurs within the treatInitial() and treatSecond() functions in index.cjs. This issue can be exploited to bypass security checks, inject configuration values, disrupt template rendering, or cause a denial of service by crashing the worker process.
Recommendations Update to version 1.0.1.

Exploit

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-46510
GHSA-M2HG-WJQ3-28WQ

Affected Products

Form-Data-Objectizer