nodejs

239 tracked vulnerabilities.

CVE-2026-48936 LOW
Node - Improper Access Control
Jun 26, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-48935 LOW
Node - Incorrect Default Permissions
Jun 26, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-48934 MEDIUM
Node.js 22.x < 22.22.3, 24.x < 24.16.0, 26.x < 26.3.0 - TLS Certificate Validation Bypass
Jun 26, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-48933 HIGH
Node - Integer Overflow or Wraparound
Jun 26, 2026
CVSS 7.5
EPSS 0.03
CVE-2026-48930 CRITICAL
Node - Improper Access Control
Jun 26, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-48928 MEDIUM
Node - Improper Access Control
Jun 26, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-48619 HIGH
Node - Uncontrolled Resource Consumption
Jun 26, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-48618 MEDIUM
Node - Improper Handling of Unicode Encoding
Jun 26, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-48615 HIGH
Node - Exposure of Private Personal Information to an Unauthorized Actor
Jun 26, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-48931 LOW
Node - Time-of-check Time-of-use (TOCTOU) Race Condition
Jun 22, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-48937 MEDIUM
Node - Uncontrolled Resource Consumption
Jun 18, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-48617 LOW
Node - Improper Access Control
Jun 18, 2026
CVSS 1.8
EPSS 0.00
CVE-2026-9697 HIGH
undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
Jun 17, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-9679 MEDIUM
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
Jun 17, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-9678 MEDIUM
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
Jun 17, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-6734 HIGH
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
Jun 17, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-6733 LOW
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
Jun 17, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-11525 LOW
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
Jun 17, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-9675 HIGH
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
Jun 17, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-12151 HIGH
undici WebSocket client vulnerable to denial of service via fragment count bypass
Jun 17, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-21717 MEDIUM
Node.js 20.x 22.x 24.x 25.x - Denial of Service via V8 String Hash Collision
Mar 30, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-21716 LOW
Node.js 20.20.1 22.22.1 24.14.0 25.8.1 - Missing Authorization in FileHandle Promise API
Mar 30, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-21715 LOW
Node.js 20.x-25.x - Privilege Escalation
Mar 30, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-21714 MEDIUM
Node.js 20.20.1 22.22.1 24.14.0 25.8.1 - Memory Leak via HTTP/2 WINDOW_UPDATE Frames
Mar 30, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-21713 MEDIUM
Node.js 20.x-20.20.1 22.x-22.22.1 24.x-24.14.0 25.x-25.8.1 - Observable Timing Discrepancy in HMAC Verification
Mar 30, 2026
CVSS 5.9
EPSS 0.00