What is the CVSS score of CVE-2026-42044?

CVE-2026-42044 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N. EPSS exploitation probability: 0.0%.

Is there a public PoC exploit available for CVE-2026-42044?

Yes, a public proof-of-concept exploit is available for CVE-2026-42044. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2026-42044?

Yes, a patch is available for CVE-2026-42044. Update the affected software to the latest version immediately.

Axios CVE-2026-42044

EUVD-2026-25609 MEDIUM

Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)

2026-04-24 GitHub_M

GHSA-3w6x-2g7m-8v23

Node.js Privilege Escalation Red Hat

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Red Hat

7.4 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Patch released

Apr 27, 2026 - 20:04 nvd

Patch available

Apr 24, 2026 - 20:17 EUVD

Analysis Generated

Apr 24, 2026 - 18:46 vuln.today

EUVD ID Assigned

Apr 24, 2026 - 18:15 euvd

EUVD-2026-25609

Analysis Generated

Apr 24, 2026 - 18:15 vuln.today

CVE Published

Apr 24, 2026 - 17:49 nvd

MEDIUM 6.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

273 npm packages depend on axios (189 direct, 84 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionGitHub Advisory

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses - including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.

AnalysisAI

Prototype pollution in Axios JSON parsing allows attackers to manipulate JSON API responses through Object.prototype pollution in the dependency tree, enabling privilege escalation, balance manipulation, and authorization bypass on applications using affected versions 1.0.0 through 1.15.1. The vulnerability exploits the parseReviver callback parameter in the default transformResponse function, which processes every key-value pair in JSON responses without validation, permitting surgical modification of individual response values while remaining invisible to the application logic.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify or introduce prototype pollution in application dependency

Delivery

Pollute Object.prototype.parseReviver with malicious function

Exploit

Application calls Axios-wrapped API request

Install

Axios receives JSON response

transformResponse calls JSON.parse with inherited parseReviver

Execute

Malicious callback modifies response values

Impact

Application operates on attacker-manipulated data

Step 8

Authorization or balance logic compromised

Recon

Identify or introduce prototype pollution in application dependency

Delivery

Pollute Object.prototype.parseReviver with malicious function

Exploit

Application calls Axios-wrapped API request

Install

Axios receives JSON response

transformResponse calls JSON.parse with inherited parseReviver

Execute

Malicious callback modifies response values

Impact

Application operates on attacker-manipulated data

Step 8

Authorization or balance logic compromised

Vulnerability AssessmentAI

Exploitation	Successful exploitation requires two specific conditions: (1) the target application must use Axios versions 1.0.0 through 1.15.1 for JSON API response parsing, AND (2) a separate prototype pollution vulnerability must already exist in the application's dependency tree (either through a known CVE in a transitive dependency, a supply-chain compromise, or a previously unreported gadget chain in npm packages). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This vulnerability presents moderate-to-high real-world risk despite the CVSS score of 6.5. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker first identifies or introduces a prototype pollution vulnerability in a transitive dependency of the target application (e.g., a popular npm package with a known or zero-day prototype pollution flaw). Through this initial pollution, the attacker sets Object.prototype.parseReviver to a malicious function that selectively modifies API response values - for example, changing a user's role from 'user' to 'admin' or multiplying an account balance by 10. …
Remediation	Upgrade Axios to version 1.15.2 or later, which removes the vulnerability by properly defining parseReviver in the default configuration (ensuring it cannot be overridden by prototype pollution) and validating the parameter through assertOptions. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53633 CRITICAL Act Now

9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a

CVE-2026-48714 CRITICAL Act Now

9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p

CVE-2026-53609 CRITICAL Act Now

9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object

CVE-2026-48054 HIGH This Week

8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied

CVE-2026-53608 HIGH This Week

8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

Vendor StatusVendor

CVE-2026-42044 vulnerability details – vuln.today

Back

Axios CVE-2026-42044

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code