CVE-2026-44494 (GHSA-35jp-ww65-95wh) is a prototype pollution vulnerability in the axios HTTP client library that, when chained with a separate prototype pollution injection point in the same Node.js runtime, can redirect all outbound axios HTTP requests through an attacker-controlled proxy, enabling full traffic interception including authentication tokens and API credentials. Exploitation requires a precondition — an existing prototype pollution vector in the same runtime — making this a second-stage or chained exploit in realistic scenarios. Not currently KEV-listed and EPSS data is not yet available, but the CVSS score of 8.1 and the breadth of axios deployment in production Node.js services warrants a 72-hour software composition analysis sweep and patch cycle.