Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
axios Improper Encoding or Escaping of Output Vulnerability - CVE-2026-42040 - Vulnerability Database
axios

axios Improper Encoding or Escaping of Output Vulnerability - CVE-2026-42040

Low
Reference: CVE-2026-42040
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-42040
Title: axios Improper Encoding or Escaping of Output Vulnerability
Overview:

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1 the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent(39x0039) correctly produces the safe sequence 00 the charMap entry 390039: 39x0039 converts it back to a raw null byte. Primary impact is limited because the standard axios request flow is not affected. This vulnerability is fixed in 1.15.1 and 0.31.1.