CVE-2026-44487 (GHSA-p92q-9vqr-4j8v) affects the Axios Node.js HTTP client: when a request configured with a Proxy-Authorization header encounters an HTTP-to-HTTPS redirect, the header is forwarded to the HTTPS origin server, leaking proxy credentials to potentially untrusted third parties. CVSS 7.4, no KEV listing, EPSS 0.0, no confirmed in-the-wild exploitation. The business risk is unauthorized access to internal systems or third-party services protected by those proxy credentials. Any Node.js application using Axios with proxy authentication is potentially exposed.