VYPR

apk package

chainguard/nextcloud-server-34

pkg:apk/chainguard/nextcloud-server-34

Vulnerabilities (12)

  • CVE-2026-44495HigJun 11, 2026
    affected < 34.0.1-r1fixed 34.0.1-r1

    Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transf

  • CVE-2026-44494HigJun 11, 2026
    affected < 34.0.1-r1fixed 34.0.1-r1

    Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-

  • CVE-2026-44492HigJun 11, 2026
    affected < 34.0.1-r1fixed 34.0.1-r1

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:

  • CVE-2026-44487HigJun 11, 2026
    affected < 34.0.1-r1fixed 34.0.1-r1

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial

  • CVE-2026-42044MedApr 24, 2026
    affected < 34.0.1-r1fixed 34.0.1-r1

    Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, in

  • CVE-2026-42042MedApr 24, 2026
    affected < 34.0.1-r1fixed 34.0.1-r1

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is s

  • CVE-2026-42041MedApr 24, 2026
    affected < 34.0.1-r1fixed 34.0.1-r1

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), c

  • CVE-2026-42039HigApr 24, 2026
    affected < 34.0.1-r1fixed 34.0.1-r1

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixe

  • CVE-2026-42036MedApr 24, 2026
    affected < 34.0.1-r1fixed 34.0.1-r1

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream c

  • CVE-2026-42035HigApr 24, 2026
    affected < 34.0.1-r1fixed 34.0.1-r1

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability ex

  • CVE-2026-42034MedApr 24, 2026
    affected < 34.0.1-r1fixed 34.0.1-r1

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets

  • CVE-2026-42033HigApr 24, 2026
    affected < 34.0.1-r1fixed 34.0.1-r1

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON respo