1. Axios CRLF Header Injection Chains with Prototype Pollution to Enable AWS Credential Theft via IMDSv2 Bypass — CVSS 9.9
A critical CRLF injection flaw in the Axios HTTP client library, tracked as CVE-2026-40175, allows attackers to inject arbitrary headers into outbound HTTP requests when combined with prototype pollution vulnerabilities present in other JavaScript dependencies. Security researchers at Heimdall Security flagged the issu...