CVE-2026-48618
published 2026-06-26CVE-2026-48618: A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver…
PriorityP344medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.61%
44.8th percentile
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.
This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nodejs | node | 22.22.3 – 22.22.3 | — |
| nodejs | node | 24.16.0 – 24.16.0 | — |
| nodejs | node | 26.3.0 – 26.3.0 | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | nodejs | — | — |
| nodejs_22 | nodejs | — | — |
| nodejs_24 | nodejs | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv3.07.7HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Node.js up to 22.22.3/24.16.0/26.3.0 unicode encoding (Nessus ID 323047)
vuldb·2026-06-27·CVSS 6.5
CVE-2026-48618 [MEDIUM] Node.js up to 22.22.3/24.16.0/26.3.0 unicode encoding (Nessus ID 323047)
A vulnerability, which was classified as problematic, was found in Node.js up to 22.22.3/24.16.0/26.3.0. This affects an unknown function. Such manipulation leads to improper handling of unicode encoding.
This vulnerability is documented as CVE-2026-48618. The attack can be executed remotely. There is not any exploit available.
GHSA
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat
ghsa_unreviewed·2026-06-26
CVE-2026-48618 [HIGH] CWE-176 A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.
This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Red Hat
nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch
vendor_redhat·2026-06-26·CVSS 6.5
CVE-2026-48618 [MEDIUM] CWE-289 nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch
nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch
A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS (Transport Layer Security) hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security boundaries, potentially leading to unauthorized access and confidentiality impact.
Statement: This Important flaw in Node.js allows for a TLS wildcard-depth authentication bypass due to a mismatch in how hostnames and unicode dot separators are handled during authentication. This could enable an attacker to circumvent security boundaries, potentially leading to unauthorized access and compromis
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48618 nodejs24: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch [fedora-all]
bugzilla·2026-06-26·CVSS 6.5
CVE-2026-48618 [MEDIUM] CVE-2026-48618 nodejs24: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch [fedora-all]
CVE-2026-48618 nodejs24: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48618 nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch
bugzilla·2026-06-26·CVSS 6.5
CVE-2026-48618 [MEDIUM] CVE-2026-48618 nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch
CVE-2026-48618 nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.
This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Bugzilla
CVE-2026-48618 nodejs22: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch [fedora-all]
bugzilla·2026-06-26·CVSS 6.5
CVE-2026-48618 [MEDIUM] CVE-2026-48618 nodejs22: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch [fedora-all]
CVE-2026-48618 nodejs22: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48618 nodejs20: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch [fedora-all]
bugzilla·2026-06-26·CVSS 6.5
CVE-2026-48618 [MEDIUM] CVE-2026-48618 nodejs20: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch [fedora-all]
CVE-2026-48618 nodejs20: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
2026-06-26
Published