Critical Axios Vulnerability (CVSS 10.0) Found in IBM Carbon Design System Package

A critical security vulnerability with a maximum severity score of 10.0 has been identified within a core IBM software library. The flaw resides in the `ibmdotcom-services-2.47.0.tgz` package, a component of the Carbon for IBM.com design system. The vulnerability is traced to a specific version of the widely-used `axios` HTTP client library (version 1.13.6), which is bundled as a dependency. This discovery was made via automated security scanning and the associated GitHub issue was automatically closed, raising immediate questions about the remediation status and exposure window for downstream applications.

The vulnerable library path points directly to a cached `.zip` file of the axios package within the project's Yarn dependency management system. The issue was found in a specific commit (`1b0acefa65abc11bbdc46d2dc34868c7af29ef68`) in the main `carbon-design-system/carbon-for-ibm-dotcom` repository. The vulnerability is cataloged under CVE-2026-40175, indicating it is a forward-dated identifier for a flaw that could allow for severe exploitation, such as remote code execution or complete system compromise, given its top-tier CVSS rating.

This finding places significant pressure on IBM's internal security and product teams, as well as any enterprise or developer relying on the Carbon design system for building IBM-branded web applications. The presence of a CVSS 10.0 flaw in a foundational dependency suggests a critical supply chain risk. Organizations must immediately audit their projects for this specific package version, verify if the auto-closed issue signifies a patched release or merely an automated alert dismissal, and assess the potential for lateral movement within their networks if the vulnerable component is deployed in production environments.