CVE-2026-42044 - Vulnerability Analysis
MediumCVSS: 6.5Last Updated: April 27, 2026
Axios - Prototype Pollution
Published: April 24, 2026Updated: April 27, 2026PoC AvailableRemote Exploitable
Overview
Axios 1.0.0 to < 1.15.2 contains a prototype pollution vulnerability caused by unvalidated parseReviver in JSON.parse within transformResponse, letting attackers escalate Object.prototype pollution to modify JSON API responses, exploit requires polluted Object.prototype.
Severity & Score
Severity: Medium
CVSS Score: 6.5
Impact
Attackers can invisibly modify JSON API responses, enabling privilege escalation, balance manipulation, and authorization bypass.
Mitigation
Upgrade to version 1.15.2 or later.
Related Resources
Details
- CVE ID
- CVE-2026-42044
- Severity
- Medium
- CVSS Score
- 6.5
- Type
- prototype_pollution
- Status
- confirmed
CWE
- CWE-915
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N