Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter

Summary Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected UR...

Insertion of Sensitive Information Into Sent Data

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the setProxy function. An attacker can obtain proxy credentials by inducing a redirect from an HTTP request sent...

Insertion of Sensitive Information Into Sent Data

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the setProxy function. An attacker can obtain proxy credentials by inducing a redirect from an HTTP...

GHSA-P92Q-9VQR-4J8V Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter

Summary Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected UR...

Insertion of Sensitive Information Into Sent Data

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the setProxy function. An attacker can obtain sensitive proxy credentials by controlling a redirect target and causin...

GHSA-J5F8-GRM9-P9FC Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection

Summary Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that...

Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection

Summary Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that...

Insertion of Sensitive Information Into Sent Data

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the setProxy function. An attacker can obtain sensitive proxy credentials by controlling a redirect...

GHSA-W2Q5-6Q6X-X959 vulnerabilities

Vulnerabilities for packages: gitsign, cortex, melange, istio, kube-arangodb, harbor-cli, docker-cli-buildx, eksctl, apko, temporal, flux-source-controller, kube-rbac-proxy, sqlexporter, terraform-provider-pagerduty, linkerd2, knative-eventing, goreleaser, grafana-pyroscope, infinispan-operator,...

CVE-2026-39821 vulnerabilities

Vulnerabilities for packages: gitsign, cortex, melange, istio, kube-arangodb, harbor-cli, docker-cli-buildx, eksctl, apko, temporal, flux-source-controller, kube-rbac-proxy, sqlexporter, terraform-provider-pagerduty, linkerd2, knative-eventing, goreleaser, grafana-pyroscope, infinispan-operator,...

GHSA-W2Q5-6Q6X-X959 vulnerabilities

Vulnerabilities for packages: k9s-fips, longhorn-share-manager-fips, terraform-provider-time-fips, helm, infinispan-operator, litmus-chaos-operator, kaniko, prometheus, ipfs-cluster, reports-server, goreleaser, consul-fips, terraform-provider-grafana, virt-api, apko-fips, falcoctl-fips, falcoctl,...

CVE-2026-43926

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/ routes...

CVE-2026-43926 FOSSBilling's password reset confirmation endpoint lacks rate limiting

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/ routes...

CVE-2026-48840

A flaw was found in Exim. In certain proxy configurations, Exim mishandles short data payloads. This can lead to the disclosure of uninitialized stack memory values to a remote client, potentially exposing sensitive information...

RLSA-2026:21433 Important: httpd security update

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fixes: httpd: modproxyajp: heap-based buffer over-read and memory disclosure in ajpparsedata CVE-2026-34059 httpd: modproxyajp: heap-based buffer over-read due to missing null-termination...

ROOT-APP-NPM-GHSA-6X33-PW7P-HMPQ GHSA-6x33-pw7p-hmpq in @rootio/http-proxy - Patched by Root

Root has patched GHSA-6x33-pw7p-hmpq in the @rootio/http-proxy package for Root:npm. Multiple fixed versions available...

SUSE-SU-2026:22067-1 Security update for openssh

This update for openssh fixes the following issues: - CVE-2026-35388: Added missing askpass check for proxy-mode multiplexing sessions bsc1261441 - CVE-2026-3497: Fixed a possible information disclosure or denial of service due to uninitialized variables in gssapi patches bsc1259642 - Add patch t...

SUSE CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle

This report covers the client-triggered DoQ forwarding path in: - dnsproxy v0.81.2 adguard/dnsproxy:v0.81.2 - AdGuard Home v0.107.74 adguard/adguardhome:latest, image version label v0.107.74 The issue was reproduced on 2026-04-25 with the products configured through their documented DoQ listener...

Linux Distros Unpatched Vulnerability : CVE-2026-47065

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream...