Is form-data-objectizer affected by CVE-2026-46510?

npm form-data-objectizer is affected in <1.0.1.

Is CVE-2026-46510 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

high

CVE-2026-46510

Q: Is CVE-2026-46510 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

npm · form-data-objectizer

Summary

form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys

Severity: high
EPSS: 0.3% (p20)
Also known as: GHSA-m2hg-wjq3-28wq
Published: 2026-05-18

References

https://github.com/kaspernj/form-data-objectizer/security/advisories/GHSA-m2hg-wjq3-28wq
https://nvd.nist.gov/vuln/detail/CVE-2026-46510
https://github.com/kaspernj/form-data-objectizer/commit/7c54b99408e6e9cd6533b7245bf197dadc2a2dbc

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.