CVE-2026-42264
HIGHCVSS v3.1: 7.4 · EPSS: 0.0041 (33.1 percentile)
Source data as of:
At a glance
- Severity
- HIGH
- CVSS
- 7.4 v3.1 · NVD
- EPSS
- 0.0041 (33.1 percentile) · FIRST.org
- CISA KEV
- No
- Attack conditions (CVSS vector)
- NetworkNo privilegesNo user interaction · Source: NVD Vector
- Affected vendors
- axios
- Published
- 2026-05-08 · Modified: 2026-06-30
- References
- Jump to references (8)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.
- Patch https://github.com/axios/axios/commit/47915144662f2733e6c051bdcb895a8c8f0586aa
- Reference https://github.com/axios/axios/pull/10779
- Patch https://github.com/axios/axios/releases/tag/v1.15.2
- Vendor advisory https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj
- Distro https://access.redhat.com/errata/RHSA-2026:33173
- Distro https://access.redhat.com/security/cve/CVE-2026-42264
- Distro https://bugzilla.redhat.com/show_bug.cgi?id=2467927
- Distro https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42264.json