Package impact
npm / axios
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42041 | medium | 6.5 | 6.5 | 1mo ago | Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy | |||
| CVE-2026-42042 | medium | 5.4 | 5.4 | 1mo ago | Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion | |||
| CVE-2026-42037 | medium | 5.3 | 5.3 | 1mo ago | Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream | |||
| CVE-2026-42036 | medium | 5.3 | 5.3 | 1mo ago | Axios: HTTP adapter streamed responses bypass maxContentLength | |||
| CVE-2026-42034 | medium | 5.3 | 5.3 | 1mo ago | Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 | |||
| CVE-2026-40175 | medium | 4.8 | 4.8 | 2mo ago | Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain | |||
| CVE-2026-42040 | low | 3.7 | 3.7 | 1mo ago | Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams |