| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-41328 | Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field | dgraph-io | dgraph | Critical | 9.1 | 2026-04-24 18:25:44 | Deep Dive |
| CVE-2026-33666 | Zserio: Integer Overflow in BitStreamReader on 32-bit platforms | ndsev | zserio | High | 7.5 | 2026-04-24 18:21:11 | Deep Dive |
| CVE-2026-33524 | Zserio: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization | ndsev | zserio | High | 7.5 | 2026-04-24 18:18:03 | Deep Dive |
| CVE-2026-33662 | OP-TEE: RSASSA EMSA- PKCS1-v1_5 underflow in emsa_pkcs1_v1_5_encode() | OP-TEE | optee_os | High | 7.5 | 2026-04-24 18:13:29 | Deep Dive |
| CVE-2026-41907 | uuid: Missing buffer bounds check in `v3`/`v5`/`v6` when `buf` is provided | uuidjs | uuid | - | - | 2026-04-24 18:09:25 | Deep Dive |
| CVE-2026-42042 | Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion | axios | axios | Medium | 5.4 | 2026-04-24 18:03:30 | Deep Dive |
| CVE-2026-42039 | Axios: unbounded recursion in toFormData causes DoS via deeply nested request data | axios | axios | - | - | 2026-04-24 18:01:31 | Deep Dive |
| CVE-2026-42036 | Axios: HTTP adapter streamed responses bypass maxContentLength | axios | axios | Medium | 5.3 | 2026-04-24 18:00:33 | Deep Dive |
| CVE-2026-42034 | Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0 | axios | axios | Medium | 5.3 | 2026-04-24 17:59:48 | Deep Dive |
| CVE-2026-42037 | Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream | axios | axios | Medium | 5.3 | 2026-04-24 17:58:16 | Deep Dive |
| CVE-2026-42038 | Axios: no_proxy bypass via IP alias allows SSRF | axios | axios | Medium | 6.8 | 2026-04-24 17:57:27 | Deep Dive |
| CVE-2026-42041 | Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy | axios | axios | Medium | 4.8 | 2026-04-24 17:55:30 | Deep Dive |
| CVE-2026-42043 | Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 | axios | axios | High | 7.2 | 2026-04-24 17:54:43 | Deep Dive |
| CVE-2026-42044 | Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` | axios | axios | Medium | 6.5 | 2026-04-24 17:49:50 | Deep Dive |
| CVE-2026-42040 | Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams | axios | axios | Low | 3.7 | 2026-04-24 17:40:31 | Deep Dive |
| CVE-2026-42035 | Axios: Header Injection via Prototype Pollution | axios | axios | High | 7.4 | 2026-04-24 17:38:08 | Deep Dive |
| CVE-2026-42033 | Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking | axios | axios | High | 7.4 | 2026-04-24 17:36:44 | Deep Dive |
| CVE-2026-41680 | Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer | markedjs | marked | - | - | 2026-04-24 17:26:28 | Deep Dive |
| CVE-2026-41898 | rust-openssl: Unchecked callback-returned length in PSK and cookie generate trampolines can cause OpenSSL to leak adjacent memory to the network peer | rust-openssl | rust-openssl | - | - | 2026-04-24 17:20:38 | Deep Dive |
| CVE-2026-41681 | rust-openssl: MdCtxRef::digest_final() writes past caller buffer with no length check | rust-openssl | rust-openssl | - | - | 2026-04-24 17:19:15 | Deep Dive |