cbcvebase.
CVE-2026-48618
published 2026-06-26

CVE-2026-48618: A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver…

PriorityP344medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.61%
44.8th percentile
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Affected

9 ranges
VendorProductVersion rangeFixed in
nodejsnode22.22.3 – 22.22.3
nodejsnode24.16.0 – 24.16.0
nodejsnode26.3.0 – 26.3.0
nodejsnode.js
nodejsnode.js
nodejsnode.js
nodejsnodejs
nodejs_22nodejs
nodejs_24nodejs

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv3.07.7HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.