CVE-2026-42264 Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking

🗓️ 08 May 2026 03:20:24Reported by GitHub_MType

Prototype pollution in Axios HTTP adapter enables credential injection and request hijacking; fixed in version 1.15.2.

Reporter	Title	Published	Views	Family All 58
IBM Security Bulletins	Security Bulletin: IBM Edge Data Collector uses axios-1.15.0.tgz which is vulnerable to CVE-2026-42264	29 May 202610:35	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Observability with Instana (OnPrem)	12 Jun 202606:40	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Monitor Component uses axios-1.15.0.tgz which is vulnerable to CVE-2026-42264	29 May 202607:29	–	ibm
IBM Security Bulletins	Security Bulletin: SPSS Collaboration and Deployment Services is affected by multiple vulnerabilities in axios	21 May 202616:04	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to multiple node modules	22 May 202608:50	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security SOAR is using a component with a known vulnerability (CVE-2026-42264)	4 Jun 202616:00	–	ibm
ATTACKERKB	CVE-2026-42264	8 May 202603:20	–	attackerkb
Chainguard	CVE-2026-42264 vulnerabilities	5 May 202619:17	–	cgr
Circl	CVE-2026-42264	24 Apr 202613:06	–	circl
CNNVD	Axios 安全漏洞	8 May 202600:00	–	cnnvd

[
  {
    "vendor": "axios",
    "product": "axios",
    "versions": [
      {
        "version": ">= 1.0.0, < 1.15.2",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/axios/axios/pull/10779
github	www.github.com/axios/axios/commit/47915144662f2733e6c051bdcb895a8c8f0586aa
github	www.github.com/axios/axios/releases/tag/v1.15.2
github	www.github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj

08 May 2026 03:20Current

CVSS 3.17.4

EPSS0.00414

CWE-1321