Lucene search
K

4325 matches found

OSV
OSV
added 2026/06/11 5:16 p.m.6 views

DEBIAN-CVE-2026-44489

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge e.g., config.proxy are still constructed as plain with Object.prototype in their chain. The setProxy function at lib/adapters/http.js:209-223 reads proxy.username,...

5.3CVSS5.3AI score0.00228EPSS
Exploits1References1
NVD
NVD
added 2026/06/11 4:16 p.m.15 views

CVE-2026-4096

IBM DevOps Plan 3.0.0 through 3.0.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...

6.5CVSS0.00149EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/11 3:36 p.m.33 views

CVE-2026-44490 Axios: DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process e.g. lodash .merge / CVE-2018-16487, axios silently picks up the...

4.8CVSS0.00287EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/06/11 3:36 p.m.7 views

CVE-2026-44490 Axios: DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process e.g. lodash .merge / CVE-2018-16487, axios silently picks up the...

4.8CVSS5.5AI score0.00287EPSS
Exploits1References1
CVE
CVE
added 2026/06/11 3:36 p.m.76 views

CVE-2026-44490

Summary : CVE-2026-44490 affects Axios up to versions before 0.32.0 and 1.16.0, where two read-side prototype-pollution gadgets can cause polluted Object.prototype values to be exposed in headers or trigger TypeError during requests. The root cause is how the merge accumulator and hasOwnProperty ...

8.2CVSS5.5AI score0.00287EPSS
Exploits1References1Affected Software1
EUVD
EUVD
added 2026/06/11 3:30 p.m.10 views

EUVD-2026-36256

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge e.g., config.proxy are still constructed as plain with Object.prototype in their chain. The setProxy function at lib/adapters/http.js:209-223 reads proxy.username,...

3.7CVSS5.5AI score0.00228EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/11 3:30 p.m.28 views

CVE-2026-44489 Axios: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge e.g., config.proxy are still constructed as plain with Object.prototype in their chain. The setProxy function at lib/adapters/http.js:209-223 reads proxy.username,...

3.7CVSS0.00228EPSS
Exploits1References1
CVE
CVE
added 2026/06/11 3:30 p.m.85 views

CVE-2026-44489

Axios version range 1.15.2–1.15.x is vulnerable to a header injection via the Proxy-Authorization header. The root cause is that nested objects created by utils.merge() (e.g., config.proxy) retain plain {} with Object.prototype in their chain, and setProxy() in lib/adapters/http.js (lines ~209–22...

5.3CVSS5.5AI score0.00228EPSS
Exploits1References1Affected Software1
Debian CVE
Debian CVE
added 2026/06/11 3:30 p.m.7 views

CVE-2026-44489

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge e.g., config.proxy are still constructed as plain with Object.prototype in their chain. The setProxy function at lib/adapters/http.js:209-223 reads proxy.username,...

5.3CVSS5.3AI score0.00228EPSS
Exploits1
Snyk
Snyk
added 2026/06/11 3:20 p.m.4 views

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the host component of a URI when constructing a PSR-7 Uri or Request. An attacker can inject arbitrary HTTP headers by supplying a crafted host value containing ASCII control characters, such as CRLF, which a...

6.9CVSS5.5AI score0.00189EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/11 2:44 p.m.10 views

EUVD-2026-36252

IBM DevOps Plan 3.0.0 through 3.0.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...

6.5CVSS5.3AI score0.00149EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/11 2:44 p.m.29 views

CVE-2026-4096 A vulnerability has been identified in IBM DevOps Plan that allows a Host Header Injection attack due to improper handling of the Host header in HTTP requests.

IBM DevOps Plan 3.0.0 through 3.0.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...

6.5CVSS0.00149EPSS
Exploits0References1
CVE
CVE
added 2026/06/11 2:44 p.m.26 views

CVE-2026-4096

Summary of CVE-2026-4096 (IBM DevOps Plan) IBM DevOps Plan versions 3.0.0 to 3.0.6 are affected by an HTTP header injection vulnerability caused by improper validation of the Host header. This can enable attacker-driven attacks such as cross-site scripting, cache poisoning, or session hijacking a...

6.5CVSS5.3AI score0.00149EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/06/11 1:16 p.m.10 views

CVE-2026-49214

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the URL is used to...

5.3CVSS0.00189EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/06/11 1:4 p.m.14 views

guzzlehttp/psr7 has CRLF Injection via URI Host Component

Impact guzzlehttp/psr7 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. The issue requires a PSR-7 request to be serialized into a raw HTTP/1.x message, for example with GuzzleHttp\Psr7\Message::toString or an equivalent custom serializer. Creating a...

5.3CVSS5.5AI score0.00189EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/06/11 12:38 p.m.16 views

EUVD-2026-36240

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the URL is used to...

5.3CVSS5.5AI score0.00189EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/11 8:59 a.m.12 views

CVE-2026-44546

A flaw was found in daphne. This vulnerability arises from a parser differential where daphne reconstructs HTTP requests from Twisted's headers, but Twisted and autobahn handle certain header line separators differently. An attacker can exploit this to inject additional headers into the ASGI...

5.3CVSS5.5AI score0.00172EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/06/11 12:0 a.m.10 views

Linux Distros Unpatched Vulnerability : CVE-2026-44489

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge e.g., config.proxy are sti...

5.3CVSS5.4AI score0.00228EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.14 views

PT-2026-48672

Name of the Vulnerable Software and Affected Versions IBM DevOps Plan versions 3.0.0 through 3.0.6 Description An issue exists due to improper validation of input within the Host header of HTTP requests. This allows for HTTP header injection, which can be leveraged to perform cross-site scripting...

6.5CVSS5.7AI score0.00149EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.11 views

IBM DevOps Plan 安全漏洞

IBM DevOps Plan is a change management collaboration platform provided by the American multinational company International Business Machines IBM. There were security vulnerabilities in versions 3.0.0 to 3.0.6 of IBM DevOps Plan. These vulnerabilities stemmed from improper input validation of the...

6.5CVSS5.4AI score0.00149EPSS
Exploits0References1
Rows per page
Query Builder