Cyber Resilience

CVE-2026-42264

HighPublic PoCUpdated

Published: 08 May 2026

Published
08 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0047 37.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42264 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Axios Axios. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Protocols (T1071.001); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty…

more

guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1071.001 Web Protocols Command And Control
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
T1041 Exfiltration Over C2 Channel Exfiltration
Adversaries may steal data by exfiltrating it over an existing command and control channel.
Why these techniques?

Prototype pollution gadget directly manipulates Axios HTTP adapter properties (baseURL, auth, beforeRedirect), enabling control over outbound web requests and data exfiltration.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42033Same product: Axios Axios
CVE-2026-42035Same product: Axios Axios
CVE-2026-42044Same product: Axios Axios
CVE-2025-62718Same product: Axios Axios
CVE-2024-57965Same product: Axios Axios
CVE-2026-42043Same product: Axios Axios
CVE-2026-42038Same product: Axios Axios
CVE-2026-40175Same product: Axios Axios
CVE-2026-42039Same product: Axios Axios
CVE-2026-25639Same product: Axios Axios

Affected Assets

axios
axios
1.0.0 — 1.15.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References