| CVE-2026-42043 |
critical |
10.0 |
10.0 |
|
|
|
1mo ago |
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 |
| CVE-2025-62718 |
critical |
9.9 |
9.9 |
|
|
|
2mo ago |
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback… |
| CVE-2026-42264 |
critical |
9.1 |
9.1 |
|
|
|
27d ago |
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking |
| CVE-2026-42044 |
critical |
9.1 |
9.1 |
|
|
|
1mo ago |
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` |
| CVE-2026-44495 |
unknown |
— |
— |
|
|
|
6d ago |
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge |
| CVE-2026-44494 |
unknown |
— |
— |
|
|
|
6d ago |
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` |
| CVE-2026-44492 |
unknown |
— |
— |
|
|
|
6d ago |
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) |
| CVE-2026-44490 |
unknown |
— |
— |
|
|
|
6d ago |
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions |
| CVE-2026-44489 |
unknown |
— |
— |
|
|
|
6d ago |
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix |
