CVE-2026-48617

LOW NVD

CVSS Score 1.8

Severity LOW

Published Jun 18, 2026

Vendor unknown

Description

A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

References

http://hackerone.com/reports/3692858
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases