What is CVE-2026-42264?

CVE-2026-42264 is a high-severity vulnerability in Axios, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 7.4/10. Published 2026-05-08.

How severe is CVE-2026-42264?

High severity. CVSS v3 base score is 7.4 out of 10.

Prototype Pollution in Axios

CVE-2026-42264

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via dir…

Vulnerability class: Prototype Pollution

EPSS: 0.001 (25.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.4 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N.

Affected products

Axios — versions >= 1.0.0, < 1.15.2

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

security-advisories@github.com (x_refsource_CONFIRM, Exploit, Mitigation, Vendor Advisory)
security-advisories@github.com (Patch, x_refsource_MISC, Issue Tracking)
security-advisories@github.com (Patch, x_refsource_MISC)
security-advisories@github.com (Product, x_refsource_MISC, Release Notes)

Frequently asked questions

What is CVE-2026-42264?: CVE-2026-42264 is a high-severity vulnerability in Axios, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 7.4/10. Published 2026-05-08.
How severe is CVE-2026-42264?: High severity. CVSS v3 base score is 7.4 out of 10.