๐Ÿ” CVE Alert

CVE-2026-48936

LOW 3.3
CVSS Score
3.3
EPSS Score
0.0%
EPSS Percentile
0th

A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**.

CWE CWE-284
Vendor nodejs
Product node
Ecosystems
Industries
Technology
Published Jun 26, 2026
Stay Ahead of the Next One

Get instant alerts for nodejs node

Be the first to know when new low vulnerabilities affecting nodejs node are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Affected Versions

nodejs / node
26.3.0 โ‰ค 26.3.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
nodejs.org: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases