CVE-2026-48618
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypas
CVSS
6.5
Medio
EPSS
2.5%
p83
KEV
—
Exploit Today
25
0-100
Publicado: 26 jun 2026 · Última mod.: 16 jul 2026 · CWE-176 · CWE-289
0.6%EPSS · 30 días2.5%
2026-06-302026-07-16
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
- nodejs.orghttps://nodejs.org/en/blog/vulnerability/june-2026-security-releases
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:28727
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:29012
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:30172
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:35841
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:35842
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:35891
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:35892
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:39246
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:39868
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7378
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:9455
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-48618
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2493337
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48618.json
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2025-551309.1 CRÍ73.6%
——22A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.
This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.2dCVE-2026-444928.6 ALT55.3%
——17Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0.16hCVE-2026-3985810.0 CRÍ38.2%
——11Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.2dCVE-2026-550757.4 ALT38.2%
——11Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the `email_verified` claim was only enforced when present as a boolean `false` so an absent or non-boolean claim was treated as verified. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 restricts the email fallback to first-time and legacy linking and defaults `email_verified` to false when the claim is absent or of an unexpected type. As a workaround, configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.8dCVE-2026-506279.1 CRÍ36.0%
——11The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.2dCVE-2026-598906.1 MED21.0%
——6setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0.3d