Lucene search
K

4641 matches found

ATTACKERKB
ATTACKERKB
added 2026/04/24 5:54 p.m.9 views

CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

9.9CVSS5.3AI score0.01186EPSS
Exploits2References2Affected Software1
CVE
CVE
added 2026/04/24 5:54 p.m.231 views

CVE-2026-42043

Axios: CVE-2026-42043 affects Axios versions prior to 1.15.1 and 0.31.1, where an attacker controlling the request URL could bypass NO_PROXY by using loopback 127.0.0.0/8 addresses (except 127.0.0.1). Root cause is an incomplete fix for CVE-2025-62718. Impact is potential exposure via proxy/SSRF ...

10CVSS5.2AI score0.00661EPSS
Exploits1References39Affected Software1
Debian CVE
Debian CVE
added 2026/04/24 5:54 p.m.4 views

CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

10CVSS5.4AI score0.00661EPSS
Exploits1
Cvelist
Cvelist
added 2026/04/24 5:49 p.m.30 views

CVE-2026-42044 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible...

6.5CVSS0.00586EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/24 5:49 p.m.4 views

CVE-2026-42044

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible...

6.5CVSS5.3AI score0.00586EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/24 5:49 p.m.5 views

CVE-2026-42044 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible...

6.5CVSS5.3AI score0.00586EPSS
Exploits1References1
CVE
CVE
added 2026/04/24 5:49 p.m.152 views

CVE-2026-42044

Axios versions 1.0.0 through before 1.15.2 are affected by a Prototype Pollution Gadget in the parseReviver path used by the default transformResponse (lib/defaults/index.js). A polluted Object.prototype can be leveraged to surgically modify JSON API responses, potentially enabling privilege esca...

9.1CVSS5.3AI score0.00586EPSS
Exploits1References36Affected Software1
Debian CVE
Debian CVE
added 2026/04/24 5:49 p.m.5 views

CVE-2026-42044

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible...

9.1CVSS5.3AI score0.00586EPSS
Exploits1
ATTACKERKB
ATTACKERKB
added 2026/04/24 5:40 p.m.6 views

CVE-2026-42040

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode function in lib/helpers/AxiosURLSearchParams.js contains a character mapping charMap at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent'\x00' correctly...

3.7CVSS5.3AI score0.00217EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/04/24 5:40 p.m.31 views

CVE-2026-42040

CVE-2026-42040 concerns Axios, a promise-based HTTP client for browser and Node.js. The vulnerability lies in the encode() function inside lib/helpers/AxiosURLSearchParams.js, where a character map (charMap) erroneously reverses safe percent-encoding of null bytes. Specifically, after encodeURICo...

3.7CVSS5.3AI score0.00217EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/04/24 5:40 p.m.33 views

CVE-2026-42040 Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode function in lib/helpers/AxiosURLSearchParams.js contains a character mapping charMap at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent'\x00' correctly...

3.7CVSS0.00217EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/24 5:40 p.m.7 views

CVE-2026-42040 Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode function in lib/helpers/AxiosURLSearchParams.js contains a character mapping charMap at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent'\x00' correctly...

3.7CVSS5.3AI score0.00217EPSS
Exploits1References1
Debian CVE
Debian CVE
added 2026/04/24 5:40 p.m.7 views

CVE-2026-42040

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode function in lib/helpers/AxiosURLSearchParams.js contains a character mapping charMap at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent'\x00' correctly...

3.7CVSS5.3AI score0.00217EPSS
Exploits1
Debian CVE
Debian CVE
added 2026/04/24 5:38 p.m.8 views

CVE-2026-42035

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter lib/adapters/http.js that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type...

7.4CVSS5.7AI score0.00394EPSS
Exploits1
Cvelist
Cvelist
added 2026/04/24 5:38 p.m.31 views

CVE-2026-42035 Axios: Header Injection via Prototype Pollution

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter lib/adapters/http.js that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type...

7.4CVSS0.00394EPSS
Exploits1References1
CVE
CVE
added 2026/04/24 5:38 p.m.56 views

CVE-2026-42035

Axios prior to versions 1.15.1 and 0.31.1 contains a prototype pollution gadget in the HTTP adapter (lib/adapters/http.js) that can inject arbitrary HTTP headers into outgoing requests. The issue occurs when Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toString...

7.4CVSS5.7AI score0.00394EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/24 5:38 p.m.4 views

CVE-2026-42035

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter lib/adapters/http.js that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type...

7.4CVSS5.7AI score0.00394EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/24 5:38 p.m.3 views

CVE-2026-42035 Axios: Header Injection via Prototype Pollution

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter lib/adapters/http.js that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type...

7.4CVSS5.6AI score0.00394EPSS
Exploits1References1
Debian CVE
Debian CVE
added 2026/04/24 5:36 p.m.3 views

CVE-2026-42033

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can a silently intercept and modify every JSON response before the...

7.4CVSS5.4AI score0.00838EPSS
Exploits1
ATTACKERKB
ATTACKERKB
added 2026/04/24 5:36 p.m.4 views

CVE-2026-42033

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can a silently intercept and modify every JSON response before the...

7.4CVSS5.4AI score0.00838EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder