CVE-2026-42264

Summary: CVE-2026-42264 affects Axios, a promise-based HTTP client for browser/Node.js. The vulnerability lies in the HTTP adapter: from 1.0.0 up to, but not including, 1.15.2, certain config properties (auth, baseURL, socketPath, beforeRedirect, insecureHTTPParser) are read via direct property a...

CVE-2026-42264 Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser in the HTTP adapter are read via direct property access without hasOwnProperty guards, making th...

CVE-2026-42264 Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser in the HTTP adapter are read via direct property access without hasOwnProperty guards, making th...

Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking

Summary Five config properties in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values ...

GHSA-Q8QP-CVCW-X6JJ Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking

Summary Five config properties in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values ...

basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands

Summary basic-ftp's CRLF injection protection added in commit 2ecc8e2 for GHSA-chqc-8p9q-pq6q is incomplete. Two code paths bypass the protectWhitespace control character check: 1 the login method directly concatenates user-supplied credentials into USER/PASS FTP commands without any validation,...

GHSA-6V7Q-WJVX-W8WG basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands

Summary basic-ftp's CRLF injection protection added in commit 2ecc8e2 for GHSA-chqc-8p9q-pq6q is incomplete. Two code paths bypass the protectWhitespace control character check: 1 the login method directly concatenates user-supplied credentials into USER/PASS FTP commands without any validation,...

CVE-2026-27847

Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known credentials into the database that can be utilized to successfully complete the handshake and use the protected service. This issue affect...

EUVD-2026-8649

Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known credentials into the database that can be utilized to successfully complete the handshake and use the protected service. This issue affect...

CVE-2026-27847

Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known credentials into the database that can be utilized to successfully complete the handshake and use the protected service. This issue affect...

CVE-2026-27847

Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known credentials into the database that can be utilized to successfully complete the handshake and use the protected service. This issue affect...

PT-2026-21926

Name of the Vulnerable Software and Affected Versions MR9600 versions 1.0.4.205530 MX4200 versions 1.0.13.210200 Description The software contains a flaw due to improper neutralization of special elements, allowing for SQL statement injection during the TLS-SRP connection handshake. This injectio...

Static Web Server 安全漏洞

Static Web Server is a static web server developed by the German company Static Web Server. Versions 2.1.0 to 2.40.1 of Static Web Server contain security vulnerabilities. These vulnerabilities stem from time-based username enumeration in basic authentication, which may lead to brute-force attack...

CVE-2026-2173

A vulnerability was identified in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotely...

CVE-2025-12887

The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user is authorized to update OAuth tokens on the 'handlegmailoauthredirect' function. This makes it possible for...

EUVD-2025-200978

The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user is authorized to update OAuth tokens on the 'handlegmailoauthredirect' function. This makes it possible for...

EUVD-2007-2768

Malware in sbrugna...

Security Bulletin: IBM Cloud Kubernetes Service is affected by Kubernetes Ingress Controller security vulnerabilities (CVE-2025-24514, CVE-2025-1097, CVE-2025-1098)

Summary IBM Cloud Kubernetes Service is affected by Kubernetes Ingress Controller security vulnerabilities where a user that can create or update Ingress objects can use the nginx.ingress.kubernetes.io/auth-url annotation CVE-2025-24514 or the nginx.ingress.kubernetes.io/auth-tls-match-cn...

Cross-Site Request Forgery (CSRF)

thinkcmf/thinkcmf is vulnerable to cross-site request forgery. The vulnerability exists because it is possible to inject a Super Administrator user into administrative users, which allows an attacker to take control of the site via credential injection...

HoneyCreds - Network Credential Injection To Detect Responder And Other Network Poisoners

HoneyCreds network credential injection to detect responder and other network poisoners. Requirements Requires Python 3.6+ tested on Python 3.9 smbprotocol cffi splunk-sdk Installation git clone https://github.com/Ben0xA/HoneyCreds.git cd HoneyCreds pip3 install -r requirements.txt Running python...