VDB
CVE-2026-48928
CVE-2026-48928
PUBLISHED
CVSS 4.2 MEDIUM
Reported by hackerone · Published June 26, 2026
A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Risk Scores
CVSS 3.0
4.2
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| nodejs | node | 22.22.3, 24.16.0, 26.3.0 |
| nodejs | node | 22.22.3, 24.16.0, 26.3.0 |
| alpine | nodejs | 0, 0, 0 |
Timeline
- CVE Published
- Jun 25, 2026 PoC Published
- Jul 5, 2026 EPSS Score
- Jul 6, 2026 Distribution Patch
- Jul 6, 2026 Security Advisory
- Jul 6, 2026 Distribution Patch
- Jul 6, 2026 Security Advisory
- Jul 7, 2026 Distribution Patch
- Jul 7, 2026 Security Advisory
- Jul 7, 2026 Distribution Patch
- Jul 7, 2026 Security Advisory
- Jul 7, 2026 Distribution Patch