By weakness (CWE)
CWE-1321: related vulnerabilities
CVEs classified under CWE-1321. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
3 published vulnerabilities
- CVE-2026-45302HIGH 8.2
parse-nested-form-data is a Node.js library that converts web form submissions into structured JavaScript objects and arrays. Versions before 1.0.1 contain a prototype pollution vulnerability: if an attacker submits a form field with a name like `__proto__` or containing `.__proto__.` anywhere in it, the parser inadvertently modifies JavaScript's Object.prototype. This pollutes the prototype chain for every plain object created in the application afterward, potentially corrupting application logic, exposing sensitive data, or enabling denial of service.
- CVE-2026-46509HIGH 8.2
The deepobj library contains a prototype pollution vulnerability that allows attackers to manipulate JavaScript object prototypes through specially crafted property paths. When an application uses deepobj to get, set, or delete nested object properties—and exposes the property path to attacker input—an attacker can inject payloads using __proto__, constructor, or prototype keywords to corrupt the prototype chain. This can lead to unexpected behavior, denial of service, or in certain contexts, code execution. The vulnerability was resolved in version 1.0.3.
- CVE-2026-46510HIGH 8.2
form-data-objectizer is a Node.js library that converts HTML form data into JavaScript objects. Versions prior to 1.0.1 contain a prototype pollution vulnerability. An attacker can craft an HTTP form submission with a specially-named field (beginning with __proto__) that causes the library to overwrite Object.prototype—the base template all JavaScript objects inherit from. This single malicious form field corrupts the entire Node.js process, allowing an attacker to inject arbitrary properties into all objects, potentially leading to authentication bypass, data manipulation, or application crashes.