Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

103095 matches found

UbuntuCve
UbuntuCveadded 2026/04/24 6:16 p.m.4 views

CVE-2026-42044

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible...

9.1CVSS5.8AI score0.00269EPSS
Exploits1References2
OSV
OSVadded 2026/04/24 6:16 p.m.5 views

UBUNTU-CVE-2026-42044

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible...

9.1CVSS5.8AI score0.00269EPSS
Exploits1References3
OSV
OSVadded 2026/04/24 6:16 p.m.4 views

UBUNTU-CVE-2026-42038

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...

7.5CVSS5.8AI score0.00301EPSS
Exploits1References3
OSV
OSVadded 2026/04/24 6:16 p.m.7 views

UBUNTU-CVE-2026-42035

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter lib/adapters/http.js that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type...

7.4CVSS6AI score0.00394EPSS
Exploits1References3
UbuntuCve
UbuntuCveadded 2026/04/24 6:16 p.m.2 views

CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

10CVSS5.8AI score0.00409EPSS
Exploits1References2
UbuntuCve
UbuntuCveadded 2026/04/24 6:16 p.m.5 views

CVE-2026-42036

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. This...

5.3CVSS5.8AI score0.00421EPSS
Exploits1References2
Debian CVE
Debian CVEadded 2026/04/24 6:1 p.m.3 views

CVE-2026-42039

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and...

7.5CVSS5.3AI score0.00413EPSS
Exploits1
Debian CVE
Debian CVEadded 2026/04/24 6:0 p.m.5 views

CVE-2026-42036

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. This...

5.3CVSS5.3AI score0.00421EPSS
Exploits1
Debian CVE
Debian CVEadded 2026/04/24 5:59 p.m.4 views

CVE-2026-42034

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits...

5.3CVSS5.3AI score0.00327EPSS
Exploits1
Debian CVE
Debian CVEadded 2026/04/24 5:57 p.m.4 views

CVE-2026-42038

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...

7.5CVSS5.3AI score0.00301EPSS
Exploits1
CVE
CVEadded 2026/04/24 5:55 p.m.29 views

CVE-2026-42041

Affected software: Axios (browser and Node.js). Vulnerability: Prototype Pollution in the mergeDirectKeys path used by validateStatus, allowing pollution of Object.prototype that could cause all HTTP status codes to be treated as success. Root cause: The only config property using the mergeDirect...

6.5CVSS5.3AI score0.00289EPSS
Exploits1References1Affected Software1
Debian CVE
Debian CVEadded 2026/04/24 5:54 p.m.4 views

CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

10CVSS5.4AI score0.00409EPSS
Exploits1
Vulnrichment
Vulnrichmentadded 2026/04/24 5:38 p.m.3 views

CVE-2026-42035 Axios: Header Injection via Prototype Pollution

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter lib/adapters/http.js that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type...

7.4CVSS5.6AI score0.00394EPSS
Exploits1References1
ATTACKERKB
ATTACKERKBadded 2026/04/24 5:38 p.m.3 views

CVE-2026-42035

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter lib/adapters/http.js that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type...

7.4CVSS5.7AI score0.00394EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/04/24 5:36 p.m.4 views

CVE-2026-42033

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can a silently intercept and modify every JSON response before the...

7.4CVSS5.4AI score0.00381EPSS
Exploits1References2Affected Software1
OSV
OSVadded 2026/04/24 4:18 p.m.4 views

GHSA-4F9J-VR4P-642R Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover

Summary The budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. Given that Budibase has had XSS vulnerabilities GHSA-gp5x-2v54-v2q5 — stored XSS via unsanitized enti...

8.1CVSS5.8AI score0.00283EPSS
Exploits1References4
Github Security Blog
Github Security Blogadded 2026/04/24 3:19 p.m.13 views

Contour has Lua code injection via Cookie Path Rewrite Policy

Impact Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in the following fields that results in arbitrary code execution in the Envoy proxy: -...

8.1CVSS6.3AI score0.00441EPSS
Exploits0References8Affected Software1
OSV
OSVadded 2026/04/24 1:10 p.m.6 views

CLSA-2026-1777036238 libsoup: Fix of CVE-2026-5119

CVE-2026-5119: do not send cookies to a HTTP proxy for a HTTPS request...

8.2CVSS5.8AI score0.00254EPSS
Exploits1References1
OSV
OSVadded 2026/04/24 12:30 p.m.3 views

GHSA-W3W2-MPP5-92GM Apache ActiveMQ Vulnerable to Improper Input Validation and Code Injection

Improper Input Validation, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport...

8.8CVSS7.9AI score0.9631EPSS
Exploits12References3
Debian CVE
Debian CVEadded 2026/04/24 10:15 a.m.5 views

CVE-2026-40466

Improper Input Validation, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport...

8.8CVSS6.6AI score0.03972EPSS
Exploits12
Rows per page
Query Builder