CVE-2026-42039

Daily digests

An attacker can crash any Node.js service that passes user-supplied data through Axios's toFormData helper by sending deeply nested objects that trigger unbounded recursion. The server runs out of stack space and dies, giving you a straightforward denial-of-service. No authentication or special access is required if your API accepts arbitrary JSON bodies.

• Daily Digest · May 5, 2026

  Linux ksmbd RCE (9.8) + 4 more to review