CVE-2026-44494 Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle MIT...

CVE-2026-42313 pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The allowlist contains...

pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)

Summary The setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The allowlist contains "proxy", "username" and "proxy", "password" — which protect the proxy credentials — but i...

PT-2026-37051

CVE-2026-42313 pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set config value API method @permissionPerms.SETTINGS in src/p… https://t.co/8rZNAbQm5s...

Malicious code in myasicapi (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 62067570b5217e75a025ba09e5e4f0d059439d8a7d30e056bdd501fe97e4f844 The code and related Github project promise to monitor hardware cryptominers. However, the code additionally hides two malicious capabilities functionalities: ...

MAL-2026-984 Malicious code in myasicapi (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 62067570b5217e75a025ba09e5e4f0d059439d8a7d30e056bdd501fe97e4f844 The code and related Github project promise to monitor hardware cryptominers. However, the code additionally hides two malicious capabilities functionalities: ...

CVE-2025-20210

A vulnerability in the management API of Cisco Catalyst Center, formerly Cisco DNA Center, could allow an unauthenticated, remote attacker to read and modify the outgoing proxy configuration settings. This vulnerability is due to the lack of authentication in an API endpoint. An attacker could...

MGASA-2016-0340 Updated python-twisted-web packages fix a security vulnerability

It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote...

Twisted: sets environmental variable based on user supplied Proxy request header

It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote...

HTTPD: sets environmental variable based on user supplied Proxy request header

It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could...

HTTPD: sets environmental variable based on user supplied Proxy request header

It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could...