CVE-2026-42038

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...

CVE-2026-42038 Axios: no_proxy bypass via IP alias allows SSRF

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...

CVE-2026-42038

Axios no_proxy bypass via IP alias allows SSRF in older releases. Affected: Axios (browser/Node.js). Fault: shouldBypassProxy() uses pure string matching and does not resolve IP aliases or loopback equivalents, so requests to 127.0.0.1 or [::1] can be proxied when no_proxy=localhost. Impact: pote...

CVE-2026-42043

Axios: CVE-2026-42043 affects Axios versions prior to 1.15.1 and 0.31.1, where an attacker controlling the request URL could bypass NO_PROXY by using loopback 127.0.0.0/8 addresses (except 127.0.0.1). Root cause is an incomplete fix for CVE-2025-62718. Impact is potential exposure via proxy/SSRF ...

CVE-2026-42043 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

CVE-2026-42043 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

PT-2026-35048

Name of the Vulnerable Software and Affected Versions Axios versions prior to 0.31.1 Axios versions prior to 1.15.1 Description An incomplete fix for no proxy hostname normalization bypass allows requests to 127.0.0.1 and ::1 to route through a proxy even when no proxy=localhost is configured. Th...

Axios 代码问题漏洞

Axios is an open-source HTTP client developed by Axios. Versions of Axios prior to 1.15.1 and 0.31.1 have code vulnerabilities. These vulnerabilities stem from incomplete fixes for noproxy hostname normalization, allowing requests to 127.0.0.1 and ::1 to still be routed through a proxy...

Security update for the Linux Kernel (Live Patch 38 for SUSE Linux Enterprise 15 SP4)

This update for the SUSE Linux Enterprise Kernel 5.14.21-150400.24.158 fixes various security issues The following security issues were fixed: CVE-2026-23191: ALSA: aloop: Fix racy access at PCM trigger bsc1258396. CVE-2026-23268: apparmor: fix unprivileged local user can do privileged policy...

CVE-2026-41461

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...

CVE-2026-41461 SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...

PT-2026-34665

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-011353)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011353 advisory. In the Linux kernel, the following vulnerability has been resolved: netfilter: nfreject: don't leak dst refcount for loopback packets recent patches to add a WARN wh...

kernel: ALSA: aloop: Fix racy access at PCM trigger

In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are...

kernel: ALSA: aloop: Fix racy access at PCM trigger

In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are...

RHEL 8 : kernel (RHSA-2026:9131)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:9131 advisory. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fixes: kernel: scsi: qla2xxx: Fix improper...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-011413)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011413 advisory. In the Linux kernel, the following vulnerability has been resolved: netfilter: nfreject: don't leak dst refcount for loopback packets recent patches to add a WARN wh...

[slackware-security] cups

New cups packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/cups-2.4.17-i586-1slack15.0.txz: Upgraded. This update fixes security issues: The scheduler treated local user and group names as...

CVE-2026-40516

OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the webfetch and websearch tools that allows attackers to access private and localhost HTTP services by manipulating tool parameters without proper validation of target addresses. Attackers can influence an...