| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-42038 | Axios: no_proxy bypass via IP alias allows SSRF | axios | axios | Medium | 6.8 | 2026-04-24 17:57:27 | Deep Dive |
| CVE-2026-42041 | Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy | axios | axios | Medium | 4.8 | 2026-04-24 17:55:30 | Deep Dive |
| CVE-2026-42043 | Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 | axios | axios | High | 7.2 | 2026-04-24 17:54:43 | Deep Dive |
| CVE-2026-42044 | Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` | axios | axios | Medium | 6.5 | 2026-04-24 17:49:50 | Deep Dive |
| CVE-2026-42040 | Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams | axios | axios | Low | 3.7 | 2026-04-24 17:40:31 | Deep Dive |
| CVE-2026-42035 | Axios: Header Injection via Prototype Pollution | axios | axios | High | 7.4 | 2026-04-24 17:38:08 | Deep Dive |
| CVE-2026-42033 | Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking | axios | axios | High | 7.4 | 2026-04-24 17:36:44 | Deep Dive |
| CVE-2026-41680 | Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer | markedjs | marked | - | - | 2026-04-24 17:26:28 | Deep Dive |
| CVE-2026-41898 | rust-openssl: Unchecked callback-returned length in PSK and cookie generate trampolines can cause OpenSSL to leak adjacent memory to the network peer | rust-openssl | rust-openssl | - | - | 2026-04-24 17:20:38 | Deep Dive |
| CVE-2026-41681 | rust-openssl: MdCtxRef::digest_final() writes past caller buffer with no length check | rust-openssl | rust-openssl | - | - | 2026-04-24 17:19:15 | Deep Dive |
| CVE-2026-41678 | rust-openssl: Incorrect bounds assertion in aes key wrap | rust-openssl | rust-openssl | - | - | 2026-04-24 17:18:27 | Deep Dive |
| CVE-2026-41677 | rust-openssl: Out-of-bounds read in PEM password callback when user callback returns an oversized length | rust-openssl | rust-openssl | - | - | 2026-04-24 17:17:18 | Deep Dive |
| CVE-2026-41676 | rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1 | rust-openssl | rust-openssl | - | - | 2026-04-24 17:16:21 | Deep Dive |
| CVE-2026-41140 | Poetry: Path traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4 | python-poetry | poetry | 高危 | - | 2026-04-24 17:10:34 | Deep Dive |
| CVE-2026-41322 | @astrojs/node: Cache Poisoning due to incorrect error handling when if-match header is malformed | withastro | astro | Medium | 5.3 | 2026-04-24 17:08:13 | Deep Dive |
| CVE-2026-41321 | @astrojs/cloudflare: SSRF via redirect following in Cloudflare image-binding-transform endpoint | withastro | @astrojs/cloudflare | Low | 2.2 | 2026-04-24 17:04:06 | Deep Dive |
| CVE-2026-41067 | Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass | withastro | astro | Medium | 6.1 | 2026-04-24 16:57:23 | Deep Dive |
| CVE-2026-41079 | OpenPrinting CUPS: Heap out-of-bounds read in SNMP supply-level polling leaks stack memory to authenticated users | OpenPrinting | cups | Medium | 4.3 | 2026-04-24 16:54:39 | Deep Dive |
| CVE-2026-41411 | Vim: Command injection via backtick expansion in tag filenames | vim | vim | Medium | 6.6 | 2026-04-24 16:51:40 | Deep Dive |
| CVE-2026-40897 | Math.js: Unsafe object property setter in mathjs | josdejong | mathjs | High | 8.8 | 2026-04-24 16:48:35 | Deep Dive |