Vulnerability-Lookup

CVE-2026-45302 (GCVE-0-2026-45302)

Vulnerability from cvelistv5 – Published: 2026-06-01 17:20 – Updated: 2026-06-02 14:45

Title

Prototype Pollution in parse-nested-form-data via `__proto__` in FormData field names

Summary

parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. This issue has been patched in version 1.0.1.

Severity

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/milamer/parse-nested-form-data…	x_refsource_CONFIRM
https://github.com/milamer/parse-nested-form-data…	x_refsource_MISC
https://github.com/milamer/parse-nested-form-data…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
milamer	parse-nested-form-data	Affected: < 1.0.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45302",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-02T14:44:56.480694Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-02T14:45:17.644Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "parse-nested-form-data",
          "vendor": "milamer",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. This issue has been patched in version 1.0.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-01T17:20:34.772Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3"
        },
        {
          "name": "https://github.com/milamer/parse-nested-form-data/commit/527ad58eb486e32438f7198fb88315c20449d792",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/milamer/parse-nested-form-data/commit/527ad58eb486e32438f7198fb88315c20449d792"
        },
        {
          "name": "https://github.com/milamer/parse-nested-form-data/releases/tag/v1.0.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/milamer/parse-nested-form-data/releases/tag/v1.0.1"
        }
      ],
      "source": {
        "advisory": "GHSA-xp7r-j8r6-j9h3",
        "discovery": "UNKNOWN"
      },
      "title": "Prototype Pollution in parse-nested-form-data via `__proto__` in FormData field names"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45302",
    "datePublished": "2026-06-01T17:20:34.772Z",
    "dateReserved": "2026-05-11T20:14:43.202Z",
    "dateUpdated": "2026-06-02T14:45:17.644Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45302",
      "date": "2026-06-08",
      "epss": "0.0006",
      "percentile": "0.18831"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45302\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-01T19:16:51.113\",\"lastModified\":\"2026-06-02T16:16:41.663\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. This issue has been patched in version 1.0.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"references\":[{\"url\":\"https://github.com/milamer/parse-nested-form-data/commit/527ad58eb486e32438f7198fb88315c20449d792\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/milamer/parse-nested-form-data/releases/tag/v1.0.1\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45302\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-02T14:44:56.480694Z\"}}}], \"references\": [{\"url\": \"https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-02T14:44:14.933Z\"}}], \"cna\": {\"title\": \"Prototype Pollution in parse-nested-form-data via `__proto__` in FormData field names\", \"source\": {\"advisory\": \"GHSA-xp7r-j8r6-j9h3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"milamer\", \"product\": \"parse-nested-form-data\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.0.1\"}]}], \"references\": [{\"url\": \"https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3\", \"name\": \"https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/milamer/parse-nested-form-data/commit/527ad58eb486e32438f7198fb88315c20449d792\", \"name\": \"https://github.com/milamer/parse-nested-form-data/commit/527ad58eb486e32438f7198fb88315c20449d792\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/milamer/parse-nested-form-data/releases/tag/v1.0.1\", \"name\": \"https://github.com/milamer/parse-nested-form-data/releases/tag/v1.0.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. This issue has been patched in version 1.0.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1321\", \"description\": \"CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-01T17:20:34.772Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-45302\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-02T14:45:17.644Z\", \"dateReserved\": \"2026-05-11T20:14:43.202Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-01T17:20:34.772Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-45302

Vulnerability from fkie_nvd - Published: 2026-06-01 19:16 - Updated: 2026-06-02 16:16

Severity

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/milamer/parse-nested-form-data/commit/527ad58eb486e32438f7198fb88315c20449d792
	security-advisories@github.com	https://github.com/milamer/parse-nested-form-data/releases/tag/v1.0.1
	security-advisories@github.com	https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. This issue has been patched in version 1.0.1."
    }
  ],
  "id": "CVE-2026-45302",
  "lastModified": "2026-06-02T16:16:41.663",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-01T19:16:51.113",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/milamer/parse-nested-form-data/commit/527ad58eb486e32438f7198fb88315c20449d792"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/milamer/parse-nested-form-data/releases/tag/v1.0.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-XP7R-J8R6-J9H3

Vulnerability from github – Published: 2026-05-18 16:43 – Updated: 2026-05-18 16:43

Summary

parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names

Details

Summary

parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process.

Details

The vulnerability is in handlePathPart in src/index.ts, which performs currentObject[pathPart.path] and currentObject[pathPart.path] = val for object-type path segments without rejecting reserved keys. When the segment is __proto__, the read returns Object.prototype, which then becomes the next traversal target, and the next assignment lands on the prototype.

Reproduction on a fresh install of parse-nested-form-data@1.0.0:

import { parseFormData } from 'parse-nested-form-data';
const fd = new FormData();
fd.append('__proto__.polluted', 'yes');
parseFormData(fd);
console.log(({}).polluted); // -> 'yes'
console.log(([]).polluted); // -> 'yes'

Equivalent vectors:

__proto__[polluted]=yes
a.__proto__.polluted=yes (mid-path traversal)
a[0].__proto__.polluted=yes (mid-path through an array element)

constructor.prototype.x was incidentally blocked by an existing duplicate-key guard (because Object is a function and failed the JSON-object check), but relying on that was fragile, so the fix denylists constructor and prototype as well as __proto__. The array branch (a[0], a[]) was not exploitable in practice - the regex restricts array-index segments to digit characters - but the forbidden-key check is applied before the object/array type branching as defense in depth, so any future change to the regex cannot reintroduce the issue.

Impact

Any application that passes attacker-controlled FormData (or any Iterable<[string, string | File]>) to parseFormData() - typically an HTTP server processing form submissions - allows an unauthenticated remote client to mutate Object.prototype of the running process via a single field name. Concrete consequences depend on the host application and may include corrupted application state, altered control flow in code that reads ambient properties off objects, and denial of service.

Patches

Fixed in 1.0.1. handlePathPart now throws a new ForbiddenKeyError (also exported) when any path segment is __proto__, constructor, or prototype, regardless of whether the segment would be used as an object key or an array index. The check runs before object/array type branching for defense in depth.

Upgrade:

npm install parse-nested-form-data@^1.0.1

Workarounds

If upgrading is not possible, validate field names before calling parseFormData():

const FORBIDDEN = /(^|\.)(__proto__|constructor|prototype)($|[.[])/;
for (const [name] of formData.entries()) {
  if (FORBIDDEN.test(name)) throw new Error('Unsafe field name');
}

Resources

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Fix commit: 527ad58eb486e32438f7198fb88315c20449d792

Severity

8.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "parse-nested-form-data"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45302"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T16:43:12Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`parseFormData()` walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with `__proto__`, or contains `.__proto__.` mid-path, causes the parser to traverse onto `Object.prototype` and assign properties there, polluting the prototype chain of every plain object in the running process.\n\n## Details\n\nThe vulnerability is in `handlePathPart` in `src/index.ts`, which performs `currentObject[pathPart.path]` and `currentObject[pathPart.path] = val` for object-type path segments without rejecting reserved keys. When the segment is `__proto__`, the read returns `Object.prototype`, which then becomes the next traversal target, and the next assignment lands on the prototype.\n\nReproduction on a fresh install of `parse-nested-form-data@1.0.0`:\n\n```js\nimport { parseFormData } from \u0027parse-nested-form-data\u0027;\nconst fd = new FormData();\nfd.append(\u0027__proto__.polluted\u0027, \u0027yes\u0027);\nparseFormData(fd);\nconsole.log(({}).polluted); // -\u003e \u0027yes\u0027\nconsole.log(([]).polluted); // -\u003e \u0027yes\u0027\n```\n\nEquivalent vectors:\n\n- `__proto__[polluted]=yes`\n- `a.__proto__.polluted=yes` (mid-path traversal)\n- `a[0].__proto__.polluted=yes` (mid-path through an array element)\n\n`constructor.prototype.x` was incidentally blocked by an existing duplicate-key guard (because `Object` is a function and failed the JSON-object check), but relying on that was fragile, so the fix denylists `constructor` and `prototype` as well as `__proto__`. The array branch (`a[0]`, `a[]`) was not exploitable in practice - the regex restricts array-index segments to digit characters - but the forbidden-key check is applied before the object/array type branching as defense in depth, so any future change to the regex cannot reintroduce the issue.\n\n## Impact\n\nAny application that passes attacker-controlled `FormData` (or any `Iterable\u003c[string, string | File]\u003e`) to `parseFormData()` - typically an HTTP server processing form submissions - allows an unauthenticated remote client to mutate `Object.prototype` of the running process via a single field name. Concrete consequences depend on the host application and may include corrupted application state, altered control flow in code that reads ambient properties off objects, and denial of service.\n\n## Patches\n\nFixed in **1.0.1**. `handlePathPart` now throws a new `ForbiddenKeyError` (also exported) when any path segment is `__proto__`, `constructor`, or `prototype`, regardless of whether the segment would be used as an object key or an array index. The check runs before object/array type branching for defense in depth.\n\nUpgrade:\n\n```\nnpm install parse-nested-form-data@^1.0.1\n```\n\n## Workarounds\n\nIf upgrading is not possible, validate field names before calling `parseFormData()`:\n\n```js\nconst FORBIDDEN = /(^|\\.)(__proto__|constructor|prototype)($|[.[])/;\nfor (const [name] of formData.entries()) {\n  if (FORBIDDEN.test(name)) throw new Error(\u0027Unsafe field name\u0027);\n}\n```\n\n## Resources\n\n- CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)\n- Fix commit: 527ad58eb486e32438f7198fb88315c20449d792",
  "id": "GHSA-xp7r-j8r6-j9h3",
  "modified": "2026-05-18T16:43:12Z",
  "published": "2026-05-18T16:43:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/milamer/parse-nested-form-data/commit/527ad58eb486e32438f7198fb88315c20449d792"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/milamer/parse-nested-form-data"
    },
    {
      "type": "WEB",
      "url": "https://github.com/milamer/parse-nested-form-data/releases/tag/v1.0.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-45302 (GCVE-0-2026-45302)

FKIE_CVE-2026-45302

GHSA-XP7R-J8R6-J9H3

Summary

Details

Impact

Patches

Workarounds

Resources

Tags

Sightings

Nomenclature