AdonisJS Vulnerability in Bodyparser Affects TypeScript Web Framework
CVE-2026-48795

8.6HIGH

Key Information:

Vendor

Adonisjs

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-48795?

The @adonisjs/bodyparser module of the AdonisJS web framework contains a vulnerability that allows an attacker to manipulate object prototypes through nested multipart field payloads. Specifically, the improper handling of objects in the payload can lead to Object.prototype pollution, allowing for unexpected behavior in the application. This issue has been addressed in versions 10.1.5 and 11.0.3, which provide a complete fix for the conflicting handling mechanisms introduced in earlier versions. Developers are encouraged to upgrade to the latest versions to mitigate this risk.

Affected Version(s)

core >= 10.1.3, < 10.1.5 < 10.1.3, 10.1.5

core >= 11.0.0-next.9, < 11.0.3 < 11.0.0-next.9, 11.0.3

References

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.