Cyber Posture

CVE-2026-42264

High

Published: 08 May 2026

Published
08 May 2026
Modified
08 May 2026
KEV Added
Patch
CVSS Score 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0003 9.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42264 is a high-severity Prototype Pollution (CWE-1321) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty…

more

guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-1321

Affected Products

Node.js. From
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-28794Shared CWE-1321
CVE-2024-57083Shared CWE-1321
CVE-2024-38988Shared CWE-1321
CVE-2026-33696Shared CWE-1321
CVE-2024-38985Shared CWE-1321
CVE-2025-70956Shared CWE-1321
CVE-2025-25977Shared CWE-1321
CVE-2026-25047Shared CWE-1321
CVE-2026-25881Shared CWE-1321
CVE-2026-42232Shared CWE-1321

References