Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.4 HIGH
CVE-2026-41414 — Skim: Arbitrary code execution via pull_request_target fork checkout in pr.yml

Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with …

Remote | Supply Chain
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
9.1 CRITICAL
CVE-2026-41328 — Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the …

dgraph | Remote | Injection
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
9.1 CRITICAL
CVE-2026-41327 — Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the …

dgraph | Remote | Injection
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
8.2 HIGH
CVE-2026-41326 — Kata Containers: CopyFile Policy Subversion via Symlinks

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. From v3.4.0 to v3.28.0, an oversight in the CopyFil…

kata_containers | Path Traversal
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
7.5 HIGH
CVE-2026-33666 — Zserio: Integer Overflow in BitStreamReader on 32-bit platforms

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds…

Remote | Memory Corruption
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
7.5 HIGH
CVE-2026-33662 — OP-TEE: RSASSA EMSA- PKCS1-v1_5 underflow in emsa_pkcs1_v1_5_encode()

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. From 3.8.0 to 4.10, in the function e…

op-tee_os | Remote | Memory Corruption
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
7.5 HIGH
CVE-2026-33524 — Zserio: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserializ…

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up t…

Remote | Memory Corruption
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
6.5 MEDIUM
CVE-2026-42044 — Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype…

axios | Remote | Injection
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
7.2 HIGH
CVE-2026-42043 — Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loo…

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 r…

axios | Remote | Server-Side Request Forgery
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
5.4 MEDIUM
CVE-2026-42042 — Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` …

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict …

axios | Remote | Cross-Site Request Forgery
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
4.8 MEDIUM
CVE-2026-42041 — Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Str…

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype…

axios | Remote | Misconfiguration
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
3.7 LOW
CVE-2026-42040 — Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at li…

axios | Remote | Injection
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
6.9 MEDIUM
CVE-2026-42039 — Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as reque…

axios | Remote | Denial of Service
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
6.8 MEDIUM
CVE-2026-42038 — Axios: no_proxy bypass via IP alias allows SSRF

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests…

axios | Remote | Misconfiguration
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
5.3 MEDIUM
CVE-2026-42037 — Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataTo…

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into th…

axios | Remote | Injection
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
5.3 MEDIUM
CVE-2026-42036 — Axios: HTTP adapter streamed responses bypass maxContentLength

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength…

axios | Remote | Denial of Service
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
7.4 HIGH
CVE-2026-42035 — Axios: Header Injection via Prototype Pollution

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attac…

axios | Remote | Injection
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
5.3 MEDIUM
CVE-2026-42034 — Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https tra…

axios | Remote | Misconfiguration
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
7.4 HIGH
CVE-2026-42033 — Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request H…

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnP…

axios | Remote | Injection
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
8.3 HIGH
CVE-2026-41898 — rust-openssl: Unchecked callback-returned length in PSK and cookie generate trampolines c…

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callbac…

rust-openssl | Remote | Memory Corruption
Apr 24, 2026 Apr 24, 2026
Apr 24, 2026
Apr 24, 2026
Showing 20 of 5880 Results