CVE-2026-48934

Published: June 20, 2026Last modified: July 7, 2026

Description

A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Severity score breakdown

ParameterValue
Base score4.3
Attack VectorNETWORK
Attack complexityLOW
Privileges requiredLOW
User interactionNONE
ScopeUNCHANGED
ConfidentialityLOW
Integrity impactNONE
Availability impactNONE
VectorCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSnodejsUnknown (18.16.0-r0)
25 LTSnodejsFixed (22.23.0-r0)
StreamnodejsFixed (24.17.0-r0)
Hardened Containers23 LTSnodejsUnknown (18.16.0-r0)
25 LTSnodejsFixed (22.23.0-r0)
StreamnodejsFixed (24.17.0-r0)

References

ON THIS PAGE