Lucene search
K

4641 matches found

OSV
OSV
added 2026/04/24 6:16 p.m.8 views

UBUNTU-CVE-2026-42040

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode function in lib/helpers/AxiosURLSearchParams.js contains a character mapping charMap at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent'\x00' correctly...

3.7CVSS5.8AI score0.00217EPSS
Exploits1References3
UbuntuCve
UbuntuCve
added 2026/04/24 6:16 p.m.5 views

CVE-2026-42035

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter lib/adapters/http.js that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type...

7.4CVSS5.9AI score0.00394EPSS
Exploits1References2
OSV
OSV
added 2026/04/24 6:16 p.m.6 views

UBUNTU-CVE-2026-42034

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits...

5.3CVSS5.8AI score0.00327EPSS
Exploits1References3
OSV
OSV
added 2026/04/24 6:16 p.m.5 views

UBUNTU-CVE-2026-42036

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. This...

5.3CVSS5.8AI score0.00421EPSS
Exploits1References3
UbuntuCve
UbuntuCve
added 2026/04/24 6:16 p.m.5 views

CVE-2026-42033

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can a silently intercept and modify every JSON response before the...

7.4CVSS5.7AI score0.00838EPSS
Exploits1References2
OSV
OSV
added 2026/04/24 6:16 p.m.8 views

UBUNTU-CVE-2026-42042

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy...

5.4CVSS5.8AI score0.00228EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/04/24 6:3 p.m.5 views

CVE-2026-42042

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy...

5.4CVSS5.3AI score0.00228EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/24 6:3 p.m.2 views

CVE-2026-42042 Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy...

5.4CVSS5.3AI score0.00228EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/24 6:3 p.m.28 views

CVE-2026-42042 Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy...

5.4CVSS0.00228EPSS
Exploits1References1
CVE
CVE
added 2026/04/24 6:3 p.m.76 views

CVE-2026-42042

Axios is affected by a cross-origin leakage due to XSRF token handling when withXSRFToken is set to truthy non-boolean values. Prior to versions 1.15.1 and 0.31.1, the protection logic used truthy/falsy semantics instead of strict boolean comparison, short-circuiting the isURLSameOrigin check and...

5.4CVSS5.3AI score0.00228EPSS
Exploits1References1Affected Software1
Debian CVE
Debian CVE
added 2026/04/24 6:3 p.m.4 views

CVE-2026-42042

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy...

5.4CVSS5.3AI score0.00228EPSS
Exploits1
CVE
CVE
added 2026/04/24 6:1 p.m.47 views

CVE-2026-42039

CVE-2026-42039 affects Axios’ toFormData function, where passing deeply nested request data can trigger unbounded recursion and crash the Node.js process with a RangeError. Affected versions are before 1.15.1 and 0.31.1; remediation is to upgrade to 1.15.1 or 0.31.1. The vulnerability impacts Axi...

7.5CVSS5.3AI score0.00744EPSS
Exploits1References39Affected Software1
Cvelist
Cvelist
added 2026/04/24 6:1 p.m.25 views

CVE-2026-42039 Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and...

6.9CVSS0.00744EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/24 6:1 p.m.4 views

CVE-2026-42039 Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and...

6.9CVSS5.2AI score0.00744EPSS
Exploits1References1
Debian CVE
Debian CVE
added 2026/04/24 6:1 p.m.3 views

CVE-2026-42039

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and...

7.5CVSS5.3AI score0.00744EPSS
Exploits1
CVE
CVE
added 2026/04/24 6:0 p.m.27 views

CVE-2026-42036

Axios is affected when using responseType: 'stream' prior to v1.15.1 and v0.31.1, where the HTTP client returns the response stream without enforcing maxContentLength. This allows unbounded downstream consumption and bypasses configured response-size limits. The issue is fixed in v1.15.1 and v0.3...

5.3CVSS5.3AI score0.00421EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/24 6:0 p.m.6 views

CVE-2026-42036

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. This...

5.3CVSS5.3AI score0.00421EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/04/24 6:0 p.m.31 views

CVE-2026-42036 Axios: HTTP adapter streamed responses bypass maxContentLength

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. This...

5.3CVSS0.00421EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/24 6:0 p.m.7 views

CVE-2026-42036 Axios: HTTP adapter streamed responses bypass maxContentLength

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. This...

5.3CVSS5.2AI score0.00421EPSS
Exploits1References1
Debian CVE
Debian CVE
added 2026/04/24 6:0 p.m.6 views

CVE-2026-42036

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. This...

5.3CVSS5.3AI score0.00421EPSS
Exploits1
Rows per page
Query Builder