Upgrade frontend deps (axios 1.16.0, dompurify 3.4.0) to close CVE-2026-44492 and CVE-2026-41238
What this changes for operators
- Two browser-facing frontend dependencies were patched in the window: axios to 1.16.0 (CVE-2026-44492, commit 73d1d9a) and dompurify to 3.4.0 (CVE-2026-41238, commit b025cd2). Two commits, one operator action: rebuild and redeploy the frontend bundle.
- Self-hosters pinning older lockfiles must bump both manually; a stale frontend build leaves both CVEs live.
Signal metadata
Source findings
- Security: Fix CVE-2026-44492 via axios upgrade to 1.16.0 2026-06-03-openhands-cve-2026-44492-axios
Featured in
- The Policy You Wrote Wasn't the Policy You Had · 2026-06-03
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
Schema: bitter.frontier_signals.v0 · ID: 2026-06-03-openhands-frontend-cve-cluster
Signals are produced by the Bitter autonomous research loop.