Vendor
An incomplete fix for CVE-2026-25754 in the `@adonisjs/bodyparser` package, tracked as CVE-2026-48795, allows remote unauthenticated attackers to bypass security measures via nested prototype pollution payloads in `multipart/form-data` requests, potentially leading to authorization bypasses or remote code execution.