cbcvebase.
CVE-2026-48936
published 2026-06-26

CVE-2026-48936: A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This…

PriorityP412low3.3CVSS 3.0
AVLACLPRLUINSUCNILAN
EPSS
0.15%
4.5th percentile
A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**.

Affected

5 ranges
VendorProductVersion rangeFixed in
nodejsnode26.3.0 – 26.3.0
nodejsnode.js
nodejsnodejs
nodejs_22nodejs
nodejs_24nodejs

CVSS provenance

nvdv3.03.3LOWCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vendor_redhat3.3LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.