CVE-2026-48617
published 2026-06-18CVE-2026-48617: A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or…
PriorityP410low1.8CVSS 3.0
AVLACHPRHUIRSUCNILAN
EPSS
0.21%
10.9th percentile
A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nodejs | node | 22.22.3 – 22.22.3 | — |
| nodejs | node | 24.16.0 – 24.16.0 | — |
| nodejs | node | 26.3.0 – 26.3.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Node.js up to 22.22.3/24.16.0/26.3.0 Configuration process.report.writeReport access control (EUVD-2026-37914)
vuldb·2026-06-18
CVE-2026-48617 [LOW] Node.js up to 22.22.3/24.16.0/26.3.0 Configuration process.report.writeReport access control (EUVD-2026-37914)
A vulnerability was found in Node.js up to 22.22.3/24.16.0/26.3.0. It has been rated as critical. Affected is the function process.report.writeReport of the component Configuration Handler. The manipulation leads to improper access controls.
This vulnerability is traded as CVE-2026-48617. An attack has to be approached locally. There is no exploit available.
GHSA
A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation.
ghsa_unreviewed·2026-06-18
CVE-2026-48617 [LOW] CWE-284 A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation.
A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-18
Published