CVE-2026-25754 HIGH

CVE-2026-25754: AdonisJS multipart body parsing has Prototype Pollution issue

Vendor Adonisjs
Product core
Weakness CWE-1321
Published February 6, 2026
Last update February 9, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.

Key dates

02Disclosure timeline

February 6, 2026 CVE published
February 9, 2026 Record updated