PT-2026-35044 · Npm · Axios

August829

Published

2026-04-24

Updated

2026-05-18

CVE-2026-42040

CVSS v3.1

3.7

Low

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Axios versions prior to 0.31.1 Axios versions prior to 1.15.1

Description The encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) that reverses the safe percent-encoding of null bytes. While encodeURIComponent('x00') produces the safe sequence %00, the charMap entry '%00': 'x00' converts it back to a raw null byte. The primary impact is limited as the standard request flow is not affected.

Recommendations Update to version 0.31.1. Update to version 1.15.1.

Exploit

Fix

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-626CWE-116

Related Identifiers

CLEANSTART-2026-BE61221

CLEANSTART-2026-LC05413

CVE-2026-42040

GHSA-XHJH-PMCV-23JW

Affected Products

Axios

PT-2026-35044 · Npm · Axios

CVE-2026-42040

Weakness Enumeration

Related Identifiers

Affected Products

References · 211