HomeCVE Intelligence › CVE-2026-46510
CVSS 8.2 HIGH Vulnerability

CVE-2026-46510: form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation fo…

Summary form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] c…

8.2CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-46510
Vendornpm
Affected Productform-data-objectizer
Vulnerability TypeVulnerability
CVSS Score8.2 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process. The bug is in treatInitial and treatSecond inside index.cjs: ``js

if (inputName in result) { // 'in' walks the prototype chain, so '__proto__' matches newResult = result[inputName] // newResult === Object.prototype } // ... result[key] = value // sets the property on Object.prototype ` With the form key __proto__[polluted] and value yes: 1. treatInitial matches inputName = "__proto__", rest = "[polluted]". 2. "__proto__" i

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-46510 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence