CVE-2026-25639
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios cra
CVSS
7.5
High
EPSS
2.5%
p83
KEV
—
Exploit Today
25
0-100
Published: Feb 9, 2026 · Last modified: Jul 16, 2026 · CWE-754 · CWE-1287
1.6%EPSS · 30 days2.6%
2026-06-302026-07-16
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
- github.comhttps://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57
- github.comhttps://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e
- github.comhttps://github.com/axios/axios/pull/7369
- github.comhttps://github.com/axios/axios/pull/7388
- github.comhttps://github.com/axios/axios/releases/tag/v0.30.3
- github.comhttps://github.com/axios/axios/releases/tag/v1.13.5
- github.comhttps://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:10184
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11414
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:13542
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:13548
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19712
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25041
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:2694
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3087
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3105
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3106
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3107
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:3109
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36882
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-59467.5 HIG76.2%
——23Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.2dCVE-2026-20048.8 HIG52.0%
——16Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.2dCVE-2026-46947.5 HIG51.6%
——15Incorrect boundary conditions, integer overflow in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.2dCVE-2026-46908.6 HIG51.6%
——15Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.2dCVE-2026-46867.5 HIG49.1%
——15Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.2dCVE-2026-46997.5 HIG48.6%
——15Incorrect boundary conditions in the Layout: Text and Fonts component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.2d