QSearchQSearch

CVE-2026-40175

4.8 MEDIUM

Axios is a promise based HTTP client for the browser and Node.js

Published: 2026-04-10 · Last updated: 2026-05-20

Severity and scoring

CVSS
4.8 MEDIUM
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
CWE-113, CWE-444, CWE-918

Affected products

VendorProduct
axiosaxios

Description

Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This vulnerability is fixed in 1.15.0 and 0.3.1.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2025-62718 Axios is a promise based HTTP client for the browser and Node.js (9.9 CRITICAL)
  • CVE-2026-25639 Axios is a promise based HTTP client for the browser and Node.js (7.5 HIGH)

Same CWE

  • CVE-2026-50131 Fedify is a TypeScript library for building federated server apps powered by ActivityPub (8.6 HIGH)
  • CVE-2026-50127 Weblate is a web based localization tool (5.9 MEDIUM)
  • CVE-2026-46683 Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page
  • CVE-2026-20252 In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.1... (7.6 HIGH)
  • CVE-2026-48858 Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvali...