| CVE-2026-42039 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data |
| CVE-2026-42038 |
high |
7.5 |
7.5 |
|
|
|
1mo ago |
Axios: no_proxy bypass via IP alias allows SSRF |
| CVE-2026-25639 |
high |
7.5 |
7.5 |
|
|
|
4mo ago |
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig |
| CVE-2026-42035 |
high |
7.4 |
7.4 |
|
|
|
1mo ago |
Axios: Header Injection via Prototype Pollution |
| CVE-2026-42033 |
high |
7.4 |
7.4 |
|
|
|
1mo ago |
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking |
| CVE-2026-44496 |
unknown |
— |
— |
|
|
|
6h ago |
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection |
| CVE-2026-44488 |
unknown |
— |
— |
|
|
|
6h ago |
Allocation of Resources Without Limits or Throttling in Axios |
| CVE-2026-44487 |
unknown |
— |
— |
|
|
|
6h ago |
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter |
| CVE-2026-44486 |
unknown |
— |
— |
|
|
|
6h ago |
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection |
| CVE-2026-44495 |
unknown |
— |
— |
|
|
|
6d ago |
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge |
| CVE-2026-44494 |
unknown |
— |
— |
|
|
|
6d ago |
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` |
| CVE-2026-44492 |
unknown |
— |
— |
|
|
|
6d ago |
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) |
| CVE-2026-44490 |
unknown |
— |
— |
|
|
|
6d ago |
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions |
| CVE-2026-44489 |
unknown |
— |
— |
|
|
|
6d ago |
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix |
