|
5731
|
7.5 |
HIGH
Network
|
getkirby
|
kirby
|
Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a seco…
|
CWE-91
Blind XPath Injection
|
CVE-2026-32870
|
2026-04-28 04:21 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5732
|
8.1 |
HIGH
Network
|
getkirby
|
kirby
|
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the …
|
CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
|
CVE-2026-34587
|
2026-04-28 04:15 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5733
|
6.5 |
MEDIUM
Network
|
getkirby
|
kirby
|
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined …
|
CWE-863
Incorrect Authorization
|
CVE-2026-40099
|
2026-04-28 04:12 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5734
|
8.8 |
HIGH
Network
|
getkirby
|
kirby
|
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined …
|
CWE-863
Incorrect Authorization
|
CVE-2026-41325
|
2026-04-28 04:07 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5735
|
7.4 |
HIGH
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnP…
|
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-42033
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5736
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https tra…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-42034
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5737
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-42036
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5738
|
6.8 |
MEDIUM
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42038
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5739
|
- |
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as reque…
|
CWE-674
Uncontrolled Recursion
|
CVE-2026-42039
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5740
|
3.7 |
LOW
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at li…
|
CWE-116
CWE-626
Improper Encoding or Escaping of Output
Null Byte Interaction Error (Poison Null Byte)
|
CVE-2026-42040
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
