What is the CVSS score of CVE-2026-42036?

CVE-2026-42036 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. EPSS exploitation probability: 0.0%.

Is there a public PoC exploit available for CVE-2026-42036?

Yes, a public proof-of-concept exploit is available for CVE-2026-42036. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2026-42036?

Yes, a patch is available for CVE-2026-42036. Update the affected software to the latest version immediately.

Axios CVE-2026-42036

EUVD-2026-25602 MEDIUM

Allocation of Resources Without Limits or Throttling (CWE-770)

2026-04-24 GitHub_M

GHSA-vf2m-468p-8v99

Node.js Denial Of Service Red Hat

5.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Red Hat

5.3 MEDIUM

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Lifecycle Timeline

Patch released

Apr 27, 2026 - 19:57 nvd

Patch available

Apr 24, 2026 - 20:17 EUVD

Analysis Generated

Apr 24, 2026 - 18:45 vuln.today

EUVD ID Assigned

Apr 24, 2026 - 18:15 euvd

EUVD-2026-25602

Analysis Generated

Apr 24, 2026 - 18:15 vuln.today

CVE Published

Apr 24, 2026 - 18:00 nvd

MEDIUM 5.3

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

273 npm packages depend on axios (189 direct, 84 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionGitHub Advisory

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. This vulnerability is fixed in 1.15.1 and 0.31.1.

AnalysisAI

Axios HTTP client prior to version 1.15.1 (1.x branch) and 0.31.1 (0.x branch) fails to enforce maxContentLength limits when responseType is set to 'stream', allowing attackers to cause denial of service by streaming unbounded response payloads that bypass configured size restrictions. The vulnerability affects both browser and Node.js environments and requires no authentication or user interaction to exploit.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Network attacker sends HTTP request

Delivery

Axios stream handler bypasses maxContentLength check

Exploit

Unbounded response stream returned to application

Execution

Application consumes entire stream into memory

Impact

Memory exhaustion causes denial of service

Access

Network attacker sends HTTP request

Delivery

Axios stream handler bypasses maxContentLength check

Exploit

Unbounded response stream returned to application

Execution

Application consumes entire stream into memory

Impact

Memory exhaustion causes denial of service

Vulnerability AssessmentAI

Exploitation	Exploitation requires the target application to explicitly set responseType: 'stream' when making HTTP requests with Axios. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 5.3 with AV:N/AC:L/PR:N/UI:N indicates network-accessible denial of service with low attack complexity and no privilege or interaction requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts an HTTP request to a vulnerable application configured with Axios responseType: 'stream' and a maxContentLength limit (e.g., 10MB). The attacker's server sends an HTTP response with a Content-Length header claiming a small size (1MB) but streams gigabytes of data. …
Remediation	Upgrade to Axios 1.15.1 or later for the 1.x branch, or to 0.31.1 or later for the 0.x branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53633 CRITICAL Act Now

9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a

CVE-2026-48714 CRITICAL Act Now

9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p

CVE-2026-53609 CRITICAL Act Now

9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object

CVE-2026-48054 HIGH This Week

8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied

CVE-2026-53608 HIGH This Week

8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

Vendor StatusVendor

CVE-2026-42036 vulnerability details – vuln.today

Back

Axios CVE-2026-42036

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code