Prototype Pollution

sveltekit-superforms is vulnerable to prototype pollution. The vulnerability is due to improper handling of user-supplied data in the parseFormData function of formData.js, which allows an attacker to inject properties into Object.prototype, enabling denial of service, type confusion, and potenti...

CVE-2025-62381

sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial...

GHSA-HWMC-4C8J-XXJ7 `sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`

Summary sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial of service, type confusion, and potential remote code...

`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`

Summary sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial of service, type confusion, and potential remote code...

Prototype Pollution

Overview sveltekit-superforms is a Making SvelteKit forms a pleasure to use! Affected versions of this package are vulnerable to Prototype Pollution via the parseFormData function. An attacker can inject properties into Object.prototype by submitting specially crafted form parameters, which can...

@nasa-jpl/stellar-svelte (>=2.1.9 <=2.1.10), @scouterdev/ui (=0.0.1) +2 more potentially affected by CVE-2025-62381 via sveltekit-superforms (>=2.16.1 <=2.27.1)

sveltekit-superforms NPM version =2.16.1, =2.1.9, =1.3.0, =0.0.2-dev.80, =1.0.9 Source cves: CVE-2025-62381 Source advisory: SNYK:JS-SVELTEKITSUPERFORMS-13559331...

CVE-2025-62381

sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial...

EUVD-2025-34681

sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial...

CVE-2025-62381 sveltekit-superforms Prototype Pollution in `parseFormData` function of `formData.js`

sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial...

CVE-2025-62381 sveltekit-superforms Prototype Pollution in `parseFormData` function of `formData.js`

sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial...

CVE-2025-62381

CVE-2025-62381 affects the package sveltekit-superforms (versions up to 2.27.3). The vulnerability is in the parseFormData function of formData.js, where user-controlled values can pollute Object.prototype, enabling DoS, type confusion, and potentially remote code execution in downstream apps. Se...

CVE-2025-62381 sveltekit-superforms Prototype Pollution in `parseFormData` function of `formData.js`

sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial...

WordPress Superforms premium plugin <= 6.0.3 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Koutrouss Naddara in WordPress Superforms premium plugin versions = 6.0.3. Solution Update the WordPress Superforms premium plugin to the latest available version at least 6.0.4...

Superforms < 6.0.4 - Reflected Cross-Site Scripting

The plugin does not escape the bobczypanstwasprawazostalarozwiazana parameter before outputting it back in an attribute via the superlanguageswitcher AJAX action, leading to a Reflected Cross-Site Scripting. The action is also lacking CSRF, making the attack easier to perform against any user. Po...

Superforms < 6.0.4 - Reflected Cross-Site Scripting

The plugin does not escape the bobczypanstwasprawazostalarozwiazana parameter before outputting it back in an attribute via the superlanguageswitcher AJAX action, leading to a Reflected Cross-Site Scripting. The action is also lacking CSRF, making the attack easier to perform against any user...

WordPress SuperForms 4.9 Shell Upload

Exploit Title: WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution Exploit Author: ABDO10 Date : Jan - 28 - 2021 Google Dork : inurl:"/wp-content/plugins/super-forms/" Vendor Homepage : https://renstillmann.github.io/super-forms// Version : All = 4.9.X data in http...

WordPress Plugin SuperForms 4.9 - Arbitrary File Upload

Exploit Title: WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution Exploit Author: ABDO10 Date : Jan - 28 - 2021 Google Dork : inurl:"/wp-content/plugins/super-forms/" Vendor Homepage : https://renstillmann.github.io/super-forms// Version : All = 4.9.X data in http...