What is the CVSS score of CVE-2026-42040?

CVE-2026-42040 has a CVSS 3.1 base score of 3.7 (Low). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a public PoC exploit available for CVE-2026-42040?

Yes, a public proof-of-concept exploit is available for CVE-2026-42040. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2026-42040?

Yes, a patch is available for CVE-2026-42040. Update the affected software to the latest version immediately.

Axios HTTP Client CVE-2026-42040

EUVD-2026-25590 LOW

Improper Encoding or Escaping of Output (CWE-116)

2026-04-24 GitHub_M

GHSA-xhjh-pmcv-23jw

Node.js Information Disclosure

3.7

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

3.7 LOW

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Apr 27, 2026 - 20:09 nvd

Patch available

Apr 24, 2026 - 19:01 EUVD

Analysis Generated

Apr 24, 2026 - 18:15 vuln.today

EUVD ID Assigned

Apr 24, 2026 - 18:00 euvd

EUVD-2026-25590

Analysis Generated

Apr 24, 2026 - 18:00 vuln.today

CVE Published

Apr 24, 2026 - 17:40 nvd

LOW 3.7

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

273 npm packages depend on axios (189 direct, 84 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionGitHub Advisory

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent('\x00') correctly produces the safe sequence %00, the charMap entry '%00': '\x00' converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1.

AnalysisAI

Axios versions prior to 1.15.1 and 0.31.1 contain a character mapping flaw in the AxiosURLSearchParams.encode() function that reverses safe percent-encoding of null bytes, converting %00 back to raw null bytes. While the standard axios request flow remains unaffected, this vulnerability could enable integrity compromise in edge-case scenarios where encoded parameters are processed by downstream systems expecting percent-encoded values. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify non-standard encode() usage

Delivery

Craft input with null bytes

Exploit

Invoke encode() directly

Execution

Reverse percent-encoding to raw null

Persist

Inject null bytes into downstream system

Impact

Alter application behavior

Access

Identify non-standard encode() usage

Delivery

Craft input with null bytes

Exploit

Invoke encode() directly

Execution

Reverse percent-encoding to raw null

Persist

Inject null bytes into downstream system

Impact

Alter application behavior

Vulnerability AssessmentAI

Exploitation	The vulnerability requires that an attacker can influence input passed to the AxiosURLSearchParams.encode() function directly. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This vulnerability presents low real-world risk despite network-accessible attack vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker would need to identify code within or integrated with an axios implementation that directly calls the AxiosURLSearchParams.encode() function on attacker-controlled input, rather than using standard axios request methods. For example, if an application manually invokes encode() on user-supplied data and passes the result to a downstream system that processes null bytes differently than percent-encoded sequences, the attacker could inject null bytes to alter the application's behavior. …
Remediation	Vendor-released patch: Upgrade axios to version 1.15.1 (for 1.x users) or version 0.31.1 (for 0.x users). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53633 CRITICAL Act Now

9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a

CVE-2026-48714 CRITICAL Act Now

9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p

CVE-2026-53609 CRITICAL Act Now

9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object

CVE-2026-48054 HIGH This Week

8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied

CVE-2026-53608 HIGH This Week

8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

CVE-2026-42040 vulnerability details – vuln.today

Back

Axios HTTP Client CVE-2026-42040

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

More from same product – last 7 days

Share

External POC / Exploit Code