What is CVE-2026-44489?

CVE-2026-44489 is a low-severity vulnerability, classified under HTTP Response Splitting. CVSS score: 3.7/10. Published 2026-06-11.

How severe is CVE-2026-44489?

Low severity. CVSS v3 base score is 3.7 out of 10.

CVE-2026-44489

CVE-2026-44489

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setPro…

CVSS v3 metric

CVSS v3 base score 3.7 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N.

Weakness classification (CWE)

CWE-113 — HTTP Response Splitting
CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

security-advisories@github.com

Frequently asked questions

What is CVE-2026-44489?: CVE-2026-44489 is a low-severity vulnerability, classified under HTTP Response Splitting. CVSS score: 3.7/10. Published 2026-06-11.
How severe is CVE-2026-44489?: Low severity. CVSS v3 base score is 3.7 out of 10.