Security Bulletin: IBM Maximo Application Suite - Monitor Component uses axios-1.15.0.tgz which is vulnerable to CVE-2026-42033, CVE-2026-42034, CVE-2026-42035, CVE-2026-42036, CVE-2026-42037

Summary Security Bulletin: IBM Maximo Application Suite - Monitor Component uses axios-1.15.0.tgz which is vulnerable to CVE-2026-42033, CVE-2026-42034, CVE-2026-42035, CVE-2026-42036, CVE-2026-42037, CVE-2026-42038, CVE-2026-42039, CVE-2026-42040, CVE-2026-42041, CVE-2026-42042, CVE-2026-42043,...

CVE-2026-42034

A flaw was found in Axios. A remote attacker can exploit this vulnerability by sending oversized streamed uploads. This occurs when the maxRedirects setting is configured to 0, which bypasses the maxBodyLength limit for stream request bodies. Consequently, the system will process the full oversiz...

Stream Request Bypass

Axios is vulnerable to Stream Request Bypass. The vulnerability is due to the bypassing of maxBodyLength when maxRedirects is set to 0 for stream request bodies, where oversized streamed uploads are sent fully even when the caller sets strict body limits...

Linux Distros Unpatched Vulnerability : CVE-2026-42034

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when...

Allocation of Resources Without Limits or Throttling

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the data.pipereq upload path in the HTTP adapter. An attacker can send a streamed request body larger than the...

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the data.pipereq upload path in the HTTP adapter. An attacker can send a streamed request body...

CVE-2026-42034

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits...

PT-2026-35045

Name of the Vulnerable Software and Affected Versions Axios versions prior to 0.31.1 Axios versions prior to 1.15.1 Description For stream request bodies, the maxBodyLength limit is bypassed when maxRedirects is set to 0 using the native http/https transport path. This allows oversized streamed...

CVE-2026-41334

OpenClaw before 2026.3.31 is affected by a decompression bomb DoS in image processing. The vulnerability stems from failing to properly enforce pixel-limit guards on sips, allowing attackers to upload oversized images that exhaust memory and cause denial of service. The CVSS metrics indicate netw...

CVE-2026-23940 Denial of Service via Oversized Package Upload

Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of...

CVE-2026-23940

Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of...

CVE-2026-28478

OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and...

CVE-2026-28478

OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and...

CVE-2026-27607

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads PostObject, allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enabl...

EUVD-2026-8588

RustFS: Missing Post Policy Validation leads to Arbitrary Object Write...

PT-2026-21835

Name of the Vulnerable Software and Affected Versions RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 Description RustFS does not properly validate policy conditions during presigned POST uploads PostObject. This allows bypassing content-length-range, starts-with, and Content-Type...

PT-2026-23553

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.13 clawdbot versions prior to 2026.1.24-3 Description The software contains a denial of service issue in webhook handlers due to insufficient limits on request body size and processing time. Remote,...

Denial Of Service (DoS)

Liferay Portal is vulnerable to Denial Of Service DoS. The vulnerability is due to failure to enforce the 300kb file size limit on profile picture uploads, allowing oversized files that can degrade system performance...