CVE-2026-48931

LOW NVD

CVSS Score 3.7

Severity LOW

Published Jun 22, 2026

Vendor unknown

Description

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

References

https://nodejs.org/en/blog/vulnerability/june-2026-security-releases