CVE-2026-48933
A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerabi
CVSS
7.5
High
EPSS
2.8%
p85
KEV
—
Exploit Today
25
0-100
Published: Jun 26, 2026 · Last modified: Jul 16, 2026 · CWE-190 · CWE-770
1.6%EPSS · 30 days2.8%
2026-06-302026-07-16
A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
- nodejs.orghttps://nodejs.org/en/blog/vulnerability/june-2026-security-releases
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:28727
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:29012
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:30172
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:35841
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:35842
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:35891
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:35892
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:39246
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:39868
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7378
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:9455
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-48933
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2493331
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48933.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-217107.5 HIG97.8%
——29A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.
When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.
* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**2dCVE-2020-292387.5 HIG96.6%
——29An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted request.8dCVE-2022-250627.5 HIG87.6%
——26TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain an integer overflow via the function dm_checkString. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.8dCVE-2023-458539.8 CRI86.6%
——26MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.2dCVE-2026-261307.5 HIG85.0%
——25Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.2dCVE-2026-455917.5 HIG82.4%
——25Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.2d