← back
CVE-2026-48618

CVE-2026-48618

CVSS 7.7 HIGHEPSS 0.7%CWE-176
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.7EPSS 0.7%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
26 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected products
nodejs · node