CVE-2026-48937
MEDIUM
NVD
CVSS Score
5.3
Severity
MEDIUM
Published
Jun 18, 2026
Vendor
unknown
Description
A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.