SB2026062221 - Multiple vulnerabilities in IBM Decision Optimization for Cloud Pak for Data
Published: June 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 36 vulnerabilities.
1) Prototype pollution (CVE-ID: CVE-2026-42041)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass application-level authentication checks and suppress HTTP error handling.
The vulnerability exists due to improperly controlled modification of object prototype attributes ('prototype pollution') in lib/core/mergeConfig.js and lib/core/settle.js when merging request configuration after Object.prototype has been polluted with a crafted validateStatus property. A remote attacker can pollute Object.prototype.validateStatus with a function that always returns true to bypass application-level authentication checks and suppress HTTP error handling.
Exploitation requires chaining with an existing prototype pollution condition elsewhere in the application stack.
2) Integer overflow (CVE-ID: CVE-2026-23865)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to integer overflow within the tt_var_load_item_variation_store() function when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. A remote attacker can trick the victim into opening a specially crafted file, trigger an integer overflow and read memory contents on the system.
3) Permissive List of Allowed Inputs (CVE-ID: CVE-2026-42042)
CWE-ID: CWE-183 - Permissive List of Allowed Inputs
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information and bypass CSRF protections.
The vulnerability exists due to permissive list of allowed inputs in lib/helpers/resolveConfig.js when processing the withXSRFToken config property during browser requests. A remote attacker can pollute Object.prototype.withXSRFToken with a truthy non-boolean value or rely on a misconfigured truthy non-boolean value to disclose sensitive information and bypass CSRF protections.
User interaction is required, and the issue affects browser environments where the XSRF logic runs only when hasStandardBrowserEnv is true.
4) Permissive List of Allowed Inputs (CVE-ID: CVE-2026-42043)
CWE-ID: CWE-183 - Permissive List of Allowed Inputs
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass proxy restrictions and disclose sensitive information.
The vulnerability exists due to permissive list of allowed inputs in lib/helpers/shouldBypassProxy.js when processing Axios requests to loopback addresses in the 127.0.0.0/8 range. A remote attacker can influence the target URL to bypass proxy restrictions and disclose sensitive information.
Exploitation requires the application to use proxy environment variables and rely on NO_PROXY rules to protect loopback services.
5) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-62718)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to conduct server-side request forgery and disclose sensitive information.
The vulnerability exists due to improper hostname normalization in NO_PROXY rule evaluation when processing attacker-controlled request URLs. A remote attacker can supply a crafted URL using forms such as localhost. or [::1] to conduct server-side request forgery and disclose sensitive information.
Applications that rely on NO_PROXY entries for loopback or internal services are affected.
6) Prototype pollution (CVE-ID: CVE-2026-42044)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to tamper with JSON API responses.
The vulnerability exists due to prototype pollution in parseReviver in lib/defaults/index.js when parsing JSON responses. A remote attacker can pollute Object.prototype.parseReviver via another vulnerable library in the dependency tree to tamper with JSON API responses.
Exploitation requires a separate prototype pollution source in the application's dependency tree.
7) Improper input validation (CVE-ID: CVE-2026-34282)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Networking component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
8) Improper input validation (CVE-ID: CVE-2026-22016)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JAXP component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
9) Improper input validation (CVE-ID: CVE-2026-22021)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
10) Null Byte Interaction Error (Poison Null Byte) (CVE-ID: CVE-2026-42040)
CWE-ID: CWE-626 - Null Byte Interaction Error (Poison Null Byte)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to inject raw null bytes into serialized URL query parameters.
The vulnerability exists due to null byte interaction error in lib/helpers/AxiosURLSearchParams.js encode() function when serializing parameters through AxiosURLSearchParams.toString() without an encoder or through custom paramsSerializer delegation. A remote attacker can supply crafted input containing null bytes to inject raw null bytes into serialized URL query parameters.
The standard axios request flow using buildURL is not affected, and exploitation is limited to direct AxiosURLSearchParams usage or custom serializer paths that delegate to the internal encoder.
11) Improper input validation (CVE-ID: CVE-2026-22013)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JGSS component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
12) Improper input validation (CVE-ID: CVE-2026-22018)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
13) Improper input validation (CVE-ID: CVE-2026-22008)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Libraries component in Oracle Java SE. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
14) Improper input validation (CVE-ID: CVE-2026-34268)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A local non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
15) Improper input validation (CVE-ID: CVE-2026-22007)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A local non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
16) Out-of-bounds read (CVE-ID: CVE-2026-6918)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in Message::deserialize() and MessageBuffer::readData() when processing a crafted TCP message containing an attacker-controlled DataDescriptor._size value. A remote attacker can send a specially crafted TCP message to cause a denial of service.
The issue occurs before protocol-level validation, and no authentication, encryption, or valid JIT compilation request is required. Deployments running without TLS client authentication are affected by default.
17) NULL pointer dereference (CVE-ID: CVE-2026-8723)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to null pointer dereference in qs.stringify when processing arrays with comma format and encodeValuesOnly enabled. A remote attacker can supply input containing null or undefined array elements to cause a denial of service.
In typical Node.js HTTP frameworks, the synchronous exception usually causes the affected request to return an error rather than terminating the worker process. The vulnerable input is reachable from JSON request bodies or from application code constructing arrays from user input.
18) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-34480)
CWE-ID: CWE-116 - Improper Encoding or Escaping of Output
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause log event loss.
The vulnerability exists due to improper output neutralization in XmlLayout when processing log messages or MDC values containing XML 1.0 forbidden characters. A remote attacker can supply crafted input containing forbidden characters to cause log event loss.
The impact depends on the StAX implementation in use: built-in JRE StAX may produce malformed XML that downstream parsers reject, while alternative implementations may throw an exception during the logging call so the event is delivered only to Log4j's internal status logger.
19) Uncontrolled Recursion (CVE-ID: CVE-2026-42039)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled recursion in toFormData in lib/helpers/toFormData.js when processing deeply nested request data or params objects. A remote attacker can send a deeply nested object to cause a denial of service.
The issue can be reached in server-side code that forwards client-controlled objects into axios request data or params, and may terminate the running request handler or process with a RangeError.
20) Resource exhaustion (CVE-ID: CVE-2026-42587)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in HttpContentDecompressor and DelegatingDecompressorFrameListener when processing compressed HTTP request bodies with Content-Encoding set to br, zstd, or snappy. A remote attacker can send a specially crafted compressed payload to cause a denial of service.
The configured maxAllocation limit is enforced for gzip and deflate, but is silently ignored for brotli, zstd, and snappy. The issue affects both HTTP/1.1 and HTTP/2 handling.
21) Cross-site scripting (CVE-ID: CVE-2026-41305)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.
The vulnerability exists due to cross-site scripting in CSS stringify output when embedding re-stringified user-supplied CSS in HTML style tags. A remote attacker can supply crafted CSS containing an unescaped closing style sequence to execute arbitrary script in a victim's browser.
User interaction is required to load the generated HTML.
22) Improper Certificate Validation (CVE-ID: CVE-2026-34477)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a man-in-the-middle attack.
The vulnerability exists due to improper certificate validation in the TLS hostname verification handling of the verifyHostName attribute in Log4j Core SSL configuration when establishing TLS connections for SMTP, Socket, or Syslog appenders. A remote attacker can present a certificate issued by a trusted certificate authority to perform a man-in-the-middle attack.
The issue occurs only when TLS is configured via a nested SSL configuration element, and it does not affect the HTTP appender.
23) Improper validation of certificate with host mismatch (CVE-ID: CVE-2025-68161)
CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to the Socket Appender does not perform TLS hostname verification of the peer certificate, even when the "verifyHostName" configuration attribute or the "log4j2.sslVerifyHostName" system property is set to true. A remote attacker can perform MitM attack and intercept or redirect the log traffic.
24) Improper Output Neutralization for Logs (CVE-ID: CVE-2026-34478)
CWE-ID: CWE-117 - Improper Output Neutralization for Logs
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary log entries.
The vulnerability exists due to improper neutralization of CRLF sequences in Rfc5424Layout when processing logged data with direct Rfc5424Layout configuration using TCP framing. A remote attacker can supply specially crafted input containing CRLF sequences to inject arbitrary log entries.
Only users of stream-based syslog services who configure Rfc5424Layout directly are affected. Users of the SyslogAppender are not affected.
25) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-41988)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a local user to modify data on the system.
The vulnerability exists due to uuid can make unexpected writes when external output buffers are used. A local user can gain unauthorized access to modify data on the system.
26) HTTP response splitting (CVE-ID: CVE-2026-42578)
CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary HTTP headers into CONNECT proxy requests.
The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in io.netty.handler.proxy.HttpProxyHandler newInitialMessage() when handling user-influenced outbound headers. A remote attacker can supply crafted header values containing CRLF sequences to inject arbitrary HTTP headers into CONNECT proxy requests.
Exploitation requires an application to use HttpProxyHandler with user-influenced outboundHeaders without performing its own CRLF sanitization.
27) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-34479)
CWE-ID: CWE-116 - Improper Encoding or Escaping of Output
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause downstream log processing systems to drop or fail to index affected records.
The vulnerability exists due to improper output neutralization in Log4j1XmlLayout when producing XML log output containing characters forbidden by the XML 1.0 standard. A remote attacker can cause such characters to be included in logged data to cause downstream log processing systems to drop or fail to index affected records.
The issue affects configurations using Log4j1XmlLayout directly in a Log4j Core 2 configuration file or through the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.
28) Improper access control (CVE-ID: CVE-2026-42038)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in shouldBypassProxy() when processing URLs against no_proxy rules. A remote attacker can supply a URL using an IP alias instead of the hostname to disclose sensitive information.
In server-side environments, requests intended to bypass proxies can instead be routed through an attacker-controlled proxy. This can affect access to internal or cloud metadata services.
29) Out-of-bounds write (CVE-ID: CVE-2026-41907)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to accepting external output buffers, but not rejecting out-of-range writes (small buf or large offset). A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.
30) Uncontrolled Recursion (CVE-ID: CVE-2026-41680)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite recursion in the block tokenizer. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
31) Prototype pollution (CVE-ID: CVE-2026-42033)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to tamper with JSON responses and disclose sensitive information.
The vulnerability exists due to prototype pollution in parseReviver handling in the transformResponse functionality when processing JSON responses in a process where Object.prototype has been polluted by a co-dependency. A remote attacker can pollute Object.prototype.parseReviver to tamper with JSON responses and disclose sensitive information.
This issue affects the parseReviver gadget and requires a separate source of prototype pollution in the same process.
32) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-42034)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the HTTP adapter native http/https transport path when sending streamed request bodies with maxRedirects set to 0. A remote attacker can send an oversized streamed upload to cause a denial of service.
The issue affects only stream request bodies; buffered request bodies and requests using default or nonzero redirect handling follow different enforcement paths.
33) HTTP response splitting (CVE-ID: CVE-2026-42035)
CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary HTTP headers into outgoing requests.
The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in lib/adapters/http.js when processing data payloads in HTTP requests after a polluted object prototype causes plain objects to be treated as FormData instances. A remote attacker can pollute Object.prototype so that an attacker-controlled getHeaders() function is invoked to inject arbitrary HTTP headers into outgoing requests.
Exploitation requires a prototype pollution primitive somewhere in the application's dependency chain and the application must use Axios to send requests with a data payload such as POST, PUT, or PATCH.
34) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-42036)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the HTTP adapter streamed response handling when processing responses with responseType: 'stream' and enforcing maxContentLength. A remote attacker can send a specially crafted oversized response to cause a denial of service.
The issue affects Node.js applications that rely on maxContentLength as a safety boundary while using streamed Axios responses.
35) CRLF injection (CVE-ID: CVE-2026-42037)
CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary multipart part headers.
The vulnerability exists due to improper neutralization of CRLF sequences in FormDataPart constructor in lib/helpers/formDataToStream.js when processing Blob/File-like object MIME types in multipart form-data generation. A remote attacker can supply a specially crafted blob.type value to inject arbitrary multipart part headers.
This issue is reachable through the public axios FormData posting API in Node.js environments that accept attacker-controlled file metadata and relay it downstream.
36) Use of uninitialized resource (CVE-ID: CVE-2026-45736)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to use of uninitialized resource in websocket.close() when processing a TypedArray passed as the reason argument. A remote privileged user can pass a crafted TypedArray as the close reason to disclose sensitive information.
The issue is only exploitable through misuse that is unlikely in practice.
Remediation
Install update from vendor's website.