## Plugwerk Server Frontend Exposed: 13 Open Security Flaws, Including 2 Critical Axios RCE & SSRF Vulnerabilities
The frontend of Plugwerk's server software is operating with 13 unpatched security vulnerabilities, two of which are rated critical. GitHub's automated Code Scanning system has flagged these open findings within the `plugwerk-server-frontend` project, stemming from outdated npm dependencies. The dashboard reveals a direct and immediate risk to the application's security posture, with the most severe threats enabling remote code execution and server-side request forgery.

The critical vulnerabilities are both tied to the widely-used `axios` HTTP client library, pinned at version 1.13.6. The first, CVE-2026-40175, is a remote code execution flaw exploitable via prototype pollution. The second, CVE-2025-62718, allows for server-side request forgery and proxy bypass due to improper hostname normalization. An additional 11 medium-severity findings affect other core dependencies, including `dompurify`, `follow-redirects`, `yaml`, and `unhead`. One notable medium issue (GHSA-39q2-94rc-95cp) in `dompurify` version 3.1.7 could allow tag sanitization bypasses.

This cluster of unaddressed dependencies creates a compounded attack surface. The presence of critical RCE and SSRF vectors in a fundamental library like `axios` poses a significant operational risk, potentially allowing attackers to compromise the server or pivot to internal networks. The failure to upgrade these packages leaves the Plugwerk frontend exposed to known, exploitable weaknesses, signaling a potential lapse in routine security maintenance that could have cascading effects on system integrity and data security.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, npm, axios, github
- **Credibility**: unverified
- **Published**: 2026-04-17 15:22:53
- **ID**: 69721
- **URL**: https://whisperx.ai/en/intel/69721