DCI - Vulnerability in WEB UI
37529
28 May 2026
28 May 2026
OPEN
CRITICAL
10.0
CVE-2026-42043, CVE-2026-42044, CVE-2026-42264
Broadcom Mainframe Software is alerting customers to a vulnerability in Dynamic Capacity Intelligence 2.0.04.
Dynamic Capacity Intelligence CORE are NOT impacted by this vulnerability.
| Product Name | Dynamic Capacity Intelligence 2.0.04 - WEB UI |
| Affected component(s) |
HTTPCSSA HTTPINSB HTTPINST Axios was upgraded from 1.15.0. to 1.16.1 Set least-privilege permissions on generated web artifacts |
| Version PE was Introduced | FMID in Error: CFHR200 Published Date: 05-27-2026 |
| Severity | CRITICAL |
| CVE | |
| CVSS Score | Base:10.0 Temporal:9.0 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:P/RL:O/RC:C |
| CVSS Description |
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718. Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. A co-resident USS user can overwrite cadci.bundle.js between upload and tar, injecting arbitrary JavaScript into the product deliverable that ultimately executes in customer browsers — a supply-chain compromise. |
| Solution | PTF: LU20632 |
| Platform(s) | z/OS |
Broadcom customers may receive alerts and advisories by subscribing to Proactive Notifications.
If you missed any Mainframe Security Advisory alerts you can find all under Mainframe Security Advisories on the customer support portal.
To download a .CSV file that contains a consolidated list of security advisories affecting Broadcom mainframe products, click here for download instructions. You can use this file to easily search the CVE information.
Broadcom SECINT HOLDDATA is incorporated into our standard HOLDDATA file downloads. Therefore, it is not necessary to download any additional HOLDDATA files. Broadcom recommends that you use SMP/E Receive Order to acquire HOLDDATA and maintenance.
Customers who require additional information about this notice may contact Broadcom Support at: Support.Broadcom.com.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." For an explanation of the CVSS scoring system and a description of each metric, please visit https://www.first.org/cvss/v3.
BROADCOM PROVIDES THE CVSS BASE AND TEMPORAL SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY IN THEIR SPECIFIC ENVIRONMENT. BROADCOM DOES NOT PROVIDE A CVSS ENVIRONMENT SCORE. THE CVSS ENVIRONMENT SCORE IS CUSTOMER ENVIRONMENT SPECIFIC AND WILL IMPACT THE OVERALL CVSS SCORE. CUSTOMERS SHOULD EVALUATE THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY AND CAN CALCULATE A CVSS ENVIRONMENT SCORE.
The CVSS score and all other information describing the security matter is Broadcom confidential and may be used by you for internal purposes only and may not be disclosed to any third party without Broadcom's prior written consent.