HIGH
kaspernj
CVE published 2026-05-29
CVE-2026-46510
form-data-objectizer prior to 1.0.1 is vulnerable to prototype pollution via bracket-notation form keys. An attacker can submit an HTTP form field with a name starting with `__proto__[...]` to mutate `Object.prototype`, affecting the entire Node.js process. This is a HIGH severity vulnerability (CVSS 8.2) with network attack vector, low complexity, and no privileges required. The issue is fixed in version 1.0.1.