CVE-2026-42043
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL o
CVSS
7.2
High
EPSS
0.7%
p47
KEV
—
Exploit Today
14
0-100
Published: Apr 24, 2026 · Last modified: Jul 15, 2026 · CWE-183 · CWE-441 · CWE-918
0.7%EPSS · 30 days0.7%
2026-06-302026-07-16
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.
- github.comhttps://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:14937
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:16476
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:16532
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:16534
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:16535
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:16542
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:16874
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:17468
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:17474
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:17657
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:17699
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19109
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19375
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:20889
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:20938
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:21017
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:21338
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:21772
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:22465
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-202308.6 HIG98.5%
KEV—80Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability16dCVE-2026-1540910.0 CRI66.4%
KEV—70SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability1dCVE-2020-248819.8 CRI99.4%
——30SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning.7dCVE-2026-445788.6 HIG98.4%
——30Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.1dCVE-2023-271597.5 HIG98.3%
——29Appwrite up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /v1/avatars/favicon. This vulnerability allows attackers to access network resources and sensitive information via a crafted GET request.9dCVE-2026-483327.7 HIG95.7%
——29ColdFusion is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. Scope is changed.2d