3Scale-Amp22 System vulnerabilities

CVE-2026-42035 [HIGH] CWE-915 axios: Axios: Arbitrary HTTP header injection via prototype pollution axios: Axios: Arbitrary HTTP header injection via prototype pollution A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to misinterpret data and include attacker

CVE-2026-42037 [MEDIUM] CWE-93 axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header A flaw was found in Axios, an HTTP client for Node.js. A remote attacker, by controlling the type property of a file-like object, could inject arbitrary MIME part headers into multipart form data. This vulnerability arises from insufficient sanitization of carriage return

CVE-2026-42038 [MEDIUM] CWE-1220 axios: Axios: Information disclosure due to `no_proxy` bypass axios: Axios: Information disclosure due to `no_proxy` bypass A flaw was found in Axios, a software library used for making web requests. This vulnerability allows an attacker to bypass the `no_proxy` configuration, which is designed to prevent certain internal network requests from being sent through an external proxy. Specifically, when `no_proxy=localhost` is set, requests intended for local system

CVE-2026-42042 [MEDIUM] CWE-1025 axios: Axios: XSRF token bypass leading to information disclosure axios: Axios: XSRF token bypass leading to information disclosure A flaw was found in Axios, a promise-based HTTP client. A remote attacker can exploit this vulnerability by manipulating the `withXSRFToken` configuration property to a truthy non-boolean value. This bypasses the same-origin check, causing Cross-Site Request Forgery (XSRF) tokens to be sent to attacker-controlled cross-origin server

CVE-2026-41305 [MEDIUM] CWE-79 postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags A flaw was found in PostCSS. This vulnerability allows a remote attacker to perform Cross-Site Scripting (XSS) by submitting specially crafted CSS. When PostCSS processes and re-stringifies this CSS for embedding within HTML `` tags, it fails to properly escape `` sequences. This oversight

CVE-2026-41238 [MEDIUM] CWE-915 DOMPurify: DOMPurify: Cross-Site Scripting bypass via prototype pollution DOMPurify: DOMPurify: Cross-Site Scripting bypass via prototype pollution A flaw was found in DOMPurify, a software library used to clean potentially malicious code from web content, preventing Cross-Site Scripting (XSS) attacks. A remote attacker could exploit a vulnerability related to 'prototype pollution' to bypass DOMPurify's security checks. This allows the attacker to inject harmful

CVE-2026-41239 [MEDIUM] CWE-1289 DOMPurify: Vue 2: DOMPurify: Cross-site scripting due to incomplete sanitization of template expressions DOMPurify: Vue 2: DOMPurify: Cross-site scripting due to incomplete sanitization of template expressions A flaw was found in DOMPurify. A remote attacker could exploit this cross-site scripting (XSS) vulnerability when DOMPurify is configured to return a Document Object Model (DOM) or DOM fragment. The SAFE_FOR_TEMPLATES feature, intended to strip template ex

CVE-2026-41240 [MEDIUM] CWE-79 DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization A flaw was found in DOMPurify, a DOM-only cross-site scripting sanitizer. A remote attacker could exploit an inconsistency in how forbidden tags and attributes are handled when function-based tag additions are used. This allows malicious HTML, MathML, or SVG elements to bypass sanitization and execute

CVE-2026-40895 [MEDIUM] CWE-212 follow-redirects: follow-redirects: Information disclosure via cross-domain redirects follow-redirects: follow-redirects: Information disclosure via cross-domain redirects A flaw was found in follow-redirects. When an HTTP request follows a cross-domain redirect (a redirection to a different domain), custom authentication headers, such as X-API-Key or X-Auth-Token, are not properly stripped. This allows these sensitive headers to be forwarded verbatim to the redi