Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerability in Axios

16 April 2026

Axios has released a software patch to address a critical security vulnerability in the Axios library. Users and administrators of affected product versions are advised to update to the latest version immediately.

Background

Axios has released a software patch to address a critical security vulnerability (CVE-2026-40175) in the Axios library. Axios is a widely-used JavaScript library that helps websites and web applications communicate with servers and online services. The vulnerability has been assigned a Common Vulnerability Scoring System (CVSS v3.1) score of 10 out of 10.

Impact

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform server-side request forgery (SSRF) attacks, potentially leading to remote code execution and full cloud compromise.

Affected Products

This vulnerability affects all versions of Axios (npm) below 1.13.2.

Recommendations

Users and administrators of affected product versions are advised to update to the latest version immediately. 

References

https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx

https://github.com/axios/axios/releases/tag/v1.15.0

https://nvd.nist.gov/vuln/detail/CVE-2026-40175

https://securereading.com/hidden-dependency-risks-are-escalating-cybershelter-warns-of-critical-axios-supply-chain-exposure/

Back to top