CVE-2026-40175NVD

Vulnerability Summary

Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This vulnerability is fixed in 1.15.0 and 0.3.1.

Severity Level

MEDIUM(4.8)

Published Date

Apr 10, 2026

Last Modified

May 20, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.06%Probability

Root Weakness (CWE)

CWE-113: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityHigh

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityLow

IntegrityLow

AvailabilityNone

External References

https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1
https://github.com/axios/axios/pull/10660
https://github.com/axios/axios/pull/10688
https://github.com/axios/axios/releases/tag/v0.31.0
https://github.com/axios/axios/releases/tag/v1.15.0
https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx
https://github.com/axios/axios/pull/10660#issuecomment-4224168081
https://cert-portal.siemens.com/productcert/html/ssa-876049.html

Critical Alert 3 Active Exploits Detected Today

Critical Alert

CVE Watchtower

CVE-2026-40175NVD

Vulnerability Summary

External References