Node
This hub aggregates every CVE we track for Node, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
111
CVEs tracked
12
Critical
54
High
0
In CISA KEV
Severity distribution
HIGH54MEDIUM35CRITICAL12LOW10
Monthly trend
0
8
0
0
0
4
1
0
0
3
0
2
0
0
0
0
0
8
0
8
0
0
12
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Node.
- CVE-2026-48930A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all su...9.8
- CVE-2026-48936A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release li...3.3
- CVE-2026-48935A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. This vulnerability affects all supported release l...3.3
- CVE-2026-48934A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **No...4.3
- CVE-2026-48618A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mis...6.5
- CVE-2026-48619A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported r...7.5
- CVE-2026-48615A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed throu...7.5
- CVE-2026-48933A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**,...7.5
- CVE-2026-48928A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**,...5.4
- CVE-2026-48931A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node....3.7
- CVE-2026-48937A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.j...5.3
- CVE-2026-48617A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security bounda...1.8
- CVE-2026-21715A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce ...3.3
- CVE-2026-21717A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such co...5.9
- CVE-2026-21713A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes...5.9
Product normalization is registry-driven with AI assist and human review. How it works