|
131
|
3.7 |
LOW
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at li…
New
|
CWE-116
CWE-626
Improper Encoding or Escaping of Output
|
CVE-2026-42040
|
2026-04-25 03:16 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
132
|
- |
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as reque…
New
|
CWE-674
Uncontrolled Recursion
|
CVE-2026-42039
|
2026-04-25 03:16 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
133
|
6.8 |
MEDIUM
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42038
|
2026-04-25 03:16 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
134
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into th…
New
|
CWE-93
CRLF Injection
|
CVE-2026-42037
|
2026-04-25 03:16 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
135
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-42036
|
2026-04-25 03:16 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
136
|
7.4 |
HIGH
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attac…
New
|
CWE-113
CWE-1321
HTTP Response Splitting
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-42035
|
2026-04-25 03:16 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
137
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https tra…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-42034
|
2026-04-25 03:16 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
138
|
7.4 |
HIGH
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnP…
New
|
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-42033
|
2026-04-25 03:16 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
139
|
- |
|
-
|
-
|
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callbac…
New
|
CWE-126
CWE-130
Buffer Over-read
Improper Handling of Length Parameter Inconsistency
|
CVE-2026-41898
|
2026-04-25 03:16 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
140
|
- |
|
-
|
-
|
rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.39 to before 0.10.78, EVP_DigestFinal() always writes EVP_MD_CTX_size(ctx) to the out buffer. If out is smaller th…
New
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-41681
|
2026-04-25 03:16 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
