Cyber Resilience

CVE-2026-48618

Medium

Published: 26 June 2026

Published
26 June 2026
Modified
26 June 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0061 44.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-48618 is a medium-severity Improper Handling of Unicode Encoding (CWE-176) vulnerability in Nodejs Node.Js. Its CVSS base score is 6.5 (Medium).

Operationally, ranked at the 44.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended…

more

security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nodejs
node.js
22.22.3, 24.16.0, 26.3.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References