๐Ÿ” CVE Alert

CVE-2026-48795

HIGH 8.6

Incomplete fix for CVE-2026-25754 in @adonisjs/bodyparser

CVSS Score
8.6
EPSS Score
0.0%
EPSS Percentile
0th

AdonisJS is a TypeScript-first web framework. From 10.1.3 until 10.1.5 and 11.0.3, AdonisJS @adonisjs/bodyparser incompletely fixed CVE-2026-25754 because nested multipart field payloads such as user.__proto__.polluted and constructor.prototype still caused lodash _.set() via @poppinss/utils to create plain intermediate objects and pollute Object.prototype. This issue is fixed in versions 10.1.5 and 11.0.3.

CWE CWE-1321
Vendor adonisjs
Product core
Published Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for adonisjs core

Be the first to know when new high vulnerabilities affecting adonisjs core are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Affected Versions

adonisjs / core
>= 10.1.3, < 10.1.5 >= 11.0.0-next.9, < 11.0.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/adonisjs/core/security/advisories/GHSA-qcm7-3vpr-hj5h github.com: https://github.com/adonisjs/bodyparser/commit/8a85eb0c2061b0caca10faedbfc2cf24b56cf9f6 github.com: https://github.com/adonisjs/bodyparser/commit/aa96908f7b3f64c19e15d2d2d916b69137bdf469 github.com: https://github.com/adonisjs/bodyparser/releases/tag/v10.1.5 github.com: https://github.com/adonisjs/bodyparser/releases/tag/v11.0.3