CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Github Security Blog•added 2026/05/05 12:25 a.m.•8 views

Axios: Header Injection via Prototype Pollution

7.4CVSS5.8AI score0.00394EPSS

vulnersOsv•added 2026/05/05 12:25 a.m.•6 views

0xpay-cc-sdk (>=0.0.8 <=0.1.0), 0xtrails (>=0.0.0-20251106131028 <=0.16.0) +7151 more potentially affected by CVE-2026-42042 via axios (>=1.0.0 <=1.15.0)

axios NPM version =1.0.0, =0.0.8, =0.0.0-20251106131028, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =1.0.0, =0.0.2-beta.0, =8.0.5, =6.1.0, =0.0.0-canary-847463221a9a1bee28641d8c0ecfaca98ee142f6, =0.0.1-alpha.3, =0.1.6-alpha.11, =0.1.6-alpha.12 and more Source cves: CVE-2026-42042 Source advisory:...

5.4CVSS5.4AI score0.00228EPSS

EUVD•added 2026/05/05 12:25 a.m.•4 views

EUVD-2026-25607

Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion...

5.4CVSS5.8AI score0.00228EPSS

Exploits1References2

OSV•added 2026/05/05 12:25 a.m.•5 views

GHSA-XX6V-RP6X-Q39C Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion

Vulnerability Disclosure: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion Summary The Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. Whe...

5.4CVSS5.8AI score0.00228EPSS

Github Security Blog•added 2026/05/05 12:25 a.m.•10 views

Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion

5.4CVSS5.8AI score0.00228EPSS

vulnersOsv•added 2026/05/05 12:21 a.m.•6 views

0xpay-cc-sdk (>=0.0.8 <=0.1.0), 0xtrails (>=0.0.0-20251106131028 <=0.16.0) +7151 more potentially affected by CVE-2026-42041 via axios (>=1.0.0 <=1.15.0)

6.5CVSS7.6AI score0.00289EPSS

Patchstack•added 2026/05/05 12:21 a.m.•9 views

NPM: Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

NPM: Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

6.5CVSS5.8AI score0.00289EPSS

EUVD•added 2026/05/05 12:21 a.m.•4 views

EUVD-2026-25606

Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy...

6.5CVSS5.8AI score0.00289EPSS

Exploits1References2

OSV•added 2026/05/05 12:21 a.m.•3 views

GHSA-W9J2-PVGH-6H63 Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

Vulnerability Disclosure: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy Summary The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses 401, 403, 500,...

4.8CVSS5.9AI score0.00289EPSS

Github Security Blog•added 2026/05/05 12:21 a.m.•14 views

Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

6.5CVSS5.9AI score0.00289EPSS

OSV•added 2026/05/05 12:20 a.m.•4 views

GHSA-PMWG-CVHR-8VH7 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Executive Summary This report documents an incomplete security patch for the previously disclosed vulnerability GHSA-3p68-rc4w-qgx5 CVE-2025-62718, which affects the NOPROXY hostname resolution logic in the Axios HTTP library. Background — The Original Vulnerability The original vulnerability...

7.2CVSS5.9AI score0.00409EPSS

EUVD•added 2026/05/05 12:20 a.m.•16 views

EUVD-2026-25608

Axios: Incomplete Fix for CVE-2025-62718 — NOPROXY Protection Bypassed via RFC 1122 Loopback Subnet 127.0.0.0/8 in Axios 1.15.0...

10CVSS6.2AI score0.01075EPSS

Exploits2References2

vulnersOsv•added 2026/05/05 12:20 a.m.•5 views

0xpay-cc-sdk (>=0.0.8 <=0.1.0), 0xtrails (>=0.0.0-20251106131028 <=0.16.0) +7151 more potentially affected by CVE-2026-42043 via axios (>=1.0.0 <=1.15.0)

10CVSS7.6AI score0.00409EPSS

Patchstack•added 2026/05/05 12:20 a.m.•9 views

NPM: Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

NPM: Axios: Incomplete Fix for CVE-2025-62718 — NOPROXY Protection Bypassed via RFC 1122 Loopback Subnet 127.0.0.0/8 in Axios 1.15.0 vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

10CVSS6.2AI score0.01075EPSS

Exploits2References3Affected Software1

Github Security Blog•added 2026/05/05 12:20 a.m.•13 views

Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

10CVSS6.3AI score0.01075EPSS

Exploits2References3Affected Software1

vulnersOsv•added 2026/05/05 12:19 a.m.•7 views

0xpay-cc-sdk (>=0.0.8 <=0.1.0), 0xtrails (>=0.0.0-20251106131028 <=0.16.0) +7208 more potentially affected by CVE-2026-42044 via axios (>=1.0.0 <=1.15.1)

9.1CVSS5.4AI score0.00269EPSS

Patchstack•added 2026/05/05 12:19 a.m.•8 views

NPM: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

NPM: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver vulnerability discovered by ? in WordPress Npm axios versions = 1.0.0, 1.15.2...

9.1CVSS5.8AI score0.00269EPSS

EUVD•added 2026/05/05 12:19 a.m.•5 views

EUVD-2026-25609

Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver...

9.1CVSS5.8AI score0.00269EPSS

Exploits1References2

OSV•added 2026/05/05 12:19 a.m.•6 views

GHSA-3W6X-2G7M-8V23 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

Vulnerability Disclosure: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver Summary The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical...

6.5CVSS5.9AI score0.00269EPSS