| CVE-2026-42043 |
critical |
10.0 |
10.0 |
1mo ago |
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 |
|
| CVE-2026-42264 |
critical |
9.1 |
9.1 |
20d ago |
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking |
|
| CVE-2026-42044 |
critical |
9.1 |
9.1 |
1mo ago |
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` |
|
| CVE-2026-42039 |
high |
7.5 |
7.5 |
1mo ago |
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data |
|
| CVE-2026-42038 |
high |
7.5 |
7.5 |
1mo ago |
Axios: no_proxy bypass via IP alias allows SSRF |
|
| CVE-2026-25639 |
high |
7.5 |
7.5 |
4mo ago |
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig |
|
| CVE-2026-42035 |
high |
7.4 |
7.4 |
1mo ago |
Axios: Header Injection via Prototype Pollution |
|
| CVE-2026-42033 |
high |
7.4 |
7.4 |
1mo ago |
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking |
|
| CVE-2026-42040 |
low |
3.7 |
3.7 |
1mo ago |
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams |
|