Devspaces Code-Rhel9 vulnerabilities

CVE-2026-42035 [HIGH] CWE-915 axios: Axios: Arbitrary HTTP header injection via prototype pollution axios: Axios: Arbitrary HTTP header injection via prototype pollution A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to misinterpret data and include attacker

CVE-2026-42037 [MEDIUM] CWE-93 axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header A flaw was found in Axios, an HTTP client for Node.js. A remote attacker, by controlling the type property of a file-like object, could inject arbitrary MIME part headers into multipart form data. This vulnerability arises from insufficient sanitization of carriage return

CVE-2026-42038 [MEDIUM] CWE-1220 axios: Axios: Information disclosure due to `no_proxy` bypass axios: Axios: Information disclosure due to `no_proxy` bypass A flaw was found in Axios, a software library used for making web requests. This vulnerability allows an attacker to bypass the `no_proxy` configuration, which is designed to prevent certain internal network requests from being sent through an external proxy. Specifically, when `no_proxy=localhost` is set, requests intended for local system

CVE-2026-42042 [MEDIUM] CWE-1025 axios: Axios: XSRF token bypass leading to information disclosure axios: Axios: XSRF token bypass leading to information disclosure A flaw was found in Axios, a promise-based HTTP client. A remote attacker can exploit this vulnerability by manipulating the `withXSRFToken` configuration property to a truthy non-boolean value. This bypasses the same-origin check, causing Cross-Site Request Forgery (XSRF) tokens to be sent to attacker-controlled cross-origin server

CVE-2026-41238 [MEDIUM] CWE-915 DOMPurify: DOMPurify: Cross-Site Scripting bypass via prototype pollution DOMPurify: DOMPurify: Cross-Site Scripting bypass via prototype pollution A flaw was found in DOMPurify, a software library used to clean potentially malicious code from web content, preventing Cross-Site Scripting (XSS) attacks. A remote attacker could exploit a vulnerability related to 'prototype pollution' to bypass DOMPurify's security checks. This allows the attacker to inject harmful

CVE-2026-41239 [MEDIUM] CWE-1289 DOMPurify: Vue 2: DOMPurify: Cross-site scripting due to incomplete sanitization of template expressions DOMPurify: Vue 2: DOMPurify: Cross-site scripting due to incomplete sanitization of template expressions A flaw was found in DOMPurify. A remote attacker could exploit this cross-site scripting (XSS) vulnerability when DOMPurify is configured to return a Document Object Model (DOM) or DOM fragment. The SAFE_FOR_TEMPLATES feature, intended to strip template ex

CVE-2026-41240 [MEDIUM] CWE-79 DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization A flaw was found in DOMPurify, a DOM-only cross-site scripting sanitizer. A remote attacker could exploit an inconsistency in how forbidden tags and attributes are handled when function-based tag additions are used. This allows malicious HTML, MathML, or SVG elements to bypass sanitization and execute

CVE-2026-41988 [LOW] CWE-787 uuid: uuid: Unexpected data writes when using external output buffers with specific UUID versions uuid: uuid: Unexpected data writes when using external output buffers with specific UUID versions A flaw was found in uuid. When external output buffers are used with UUID versions 3, 5, or 6, an attacker with local access may be able to cause unexpected data writes. This vulnerability could lead to low impact data integrity issues. UUID version 4 is not affected. Pack

CVE-2026-6019 [LOW] CWE-79 python: Python: Cross-Site Scripting (XSS) vulnerability in http.cookies module python: Python: Cross-Site Scripting (XSS) vulnerability in http.cookies module A flaw was found in Python's `http.cookies` module. The `Morsel.js_output()` function, responsible for generating JavaScript output for cookies, does not properly neutralize the `` HTML sequence. This oversight could allow a remote attacker to inject malicious script into a web page, potentially leading to Cros

CVE-2026-40895 [MEDIUM] CWE-212 follow-redirects: follow-redirects: Information disclosure via cross-domain redirects follow-redirects: follow-redirects: Information disclosure via cross-domain redirects A flaw was found in follow-redirects. When an HTTP request follows a cross-domain redirect (a redirection to a different domain), custom authentication headers, such as X-API-Key or X-Auth-Token, are not properly stripped. This allows these sensitive headers to be forwarded verbatim to the redi

CVE-2026-31988 [MEDIUM] CWE-193 yauzl: yauzl: Denial of Service vulnerability in zip file processing yauzl: yauzl: Denial of Service vulnerability in zip file processing yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer bound