CVE-2026-48930
- EPSS 0.41%
- Veröffentlicht 26.06.2026 01:14:37
- Zuletzt bearbeitet 26.06.2026 20:19:14
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**...
CVE-2026-48615
- EPSS 0.44%
- Veröffentlicht 26.06.2026 01:14:36
- Zuletzt bearbeitet 26.06.2026 20:18:50
A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnos...
CVE-2026-48618
- EPSS 0.67%
- Veröffentlicht 26.06.2026 01:14:36
- Zuletzt bearbeitet 26.06.2026 20:18:43
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or by...
CVE-2026-48619
- EPSS 0.66%
- Veröffentlicht 26.06.2026 01:14:36
- Zuletzt bearbeitet 26.06.2026 20:18:56
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **N...
CVE-2026-48928
- EPSS 0.26%
- Veröffentlicht 26.06.2026 01:14:36
- Zuletzt bearbeitet 26.06.2026 20:19:06
A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVE-2026-48933
- EPSS 2.81%
- Veröffentlicht 26.06.2026 01:14:36
- Zuletzt bearbeitet 07.07.2026 12:16:56
A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVE-2026-48934
- EPSS 0.26%
- Veröffentlicht 26.06.2026 01:14:36
- Zuletzt bearbeitet 29.06.2026 14:16:54
A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVE-2026-48935
- EPSS 0.15%
- Veröffentlicht 26.06.2026 01:14:36
- Zuletzt bearbeitet 26.06.2026 20:14:33
A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 2...
CVE-2026-48936
- EPSS 0.15%
- Veröffentlicht 26.06.2026 01:14:36
- Zuletzt bearbeitet 26.06.2026 19:55:59
A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**.
CVE-2026-48931
- EPSS 0.37%
- Veröffentlicht 22.06.2026 18:59:30
- Zuletzt bearbeitet 03.07.2026 01:16:22
A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.