COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-42264

CVE-2026-42264

Severity
high
Source
NVD · cve
Published
2026-05-08
CVSS
7.4
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-42264
⚡ RCE shame 40/100 rce

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnPropert

Players implicated

axios · vendoraxios · product

Description

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.