| CVE-2026-42041 |
medium |
6.5 |
6.5 |
|
|
|
1mo ago |
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy |
| CVE-2026-42042 |
medium |
5.4 |
5.4 |
|
|
|
1mo ago |
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion |
| CVE-2026-42037 |
medium |
5.3 |
5.3 |
|
|
|
1mo ago |
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream |
| CVE-2026-42036 |
medium |
5.3 |
5.3 |
|
|
|
1mo ago |
Axios: HTTP adapter streamed responses bypass maxContentLength |
| CVE-2026-42034 |
medium |
5.3 |
5.3 |
|
|
|
1mo ago |
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 |
| CVE-2026-40175 |
medium |
4.8 |
4.8 |
|
|
|
2mo ago |
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain |
| CVE-2026-42040 |
low |
3.7 |
3.7 |
|
|
|
1mo ago |
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams |
| CVE-2026-44495 |
unknown |
— |
— |
|
|
|
6d ago |
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge |
| CVE-2026-44494 |
unknown |
— |
— |
|
|
|
6d ago |
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` |
| CVE-2026-44492 |
unknown |
— |
— |
|
|
|
6d ago |
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) |
| CVE-2026-44490 |
unknown |
— |
— |
|
|
|
6d ago |
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions |
| CVE-2026-44489 |
unknown |
— |
— |
|
|
|
6d ago |
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix |
