Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-qcm7-3vpr-hj5h | @adonisjs/bodyparser has an incomplete fix for CVE-2026-25754 |
Thu, 16 Jul 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 16 Jul 2026 01:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Adonisjs
Adonisjs core |
|
| Vendors & Products |
Adonisjs
Adonisjs core |
Wed, 15 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | AdonisJS is a TypeScript-first web framework. From 10.1.3 until 10.1.5 and 11.0.3, AdonisJS @adonisjs/bodyparser incompletely fixed CVE-2026-25754 because nested multipart field payloads such as user.__proto__.polluted and constructor.prototype still caused lodash _.set() via @poppinss/utils to create plain intermediate objects and pollute Object.prototype. This issue is fixed in versions 10.1.5 and 11.0.3. | |
| Title | Incomplete fix for CVE-2026-25754 in @adonisjs/bodyparser | |
| Weaknesses | CWE-1321 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-16T18:49:54.392Z
Reserved: 2026-05-22T20:18:20.366Z
Link: CVE-2026-48795
Updated: 2026-07-16T18:49:50.682Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T04:30:03Z
Github GHSA