|
4921
|
8.8 |
HIGH
Network
|
getkirby
|
kirby
|
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined …
|
CWE-863
Incorrect Authorization
|
CVE-2026-41325
|
2026-04-28 04:07 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4922
|
7.4 |
HIGH
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnP…
|
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-42033
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4923
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https tra…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-42034
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4924
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-42036
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4925
|
6.8 |
MEDIUM
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42038
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4926
|
- |
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as reque…
|
CWE-674
Uncontrolled Recursion
|
CVE-2026-42039
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4927
|
3.7 |
LOW
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at li…
|
CWE-116
CWE-626
Improper Encoding or Escaping of Output
Null Byte Interaction Error (Poison Null Byte)
|
CVE-2026-42040
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4928
|
7.4 |
HIGH
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attac…
|
CWE-113
CWE-1321
HTTP Response Splitting
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-42035
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4929
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into th…
|
CWE-93
CRLF Injection
|
CVE-2026-42037
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4930
|
4.8 |
MEDIUM
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype…
|
CWE-287
CWE-1321
Improper Authentication
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-42041
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
