TLS Hostname Handling Vulnerability in Node.js Products
CVE-2026-48930

5.6MEDIUM

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-48930?

A vulnerability in Node.js impacting TLS hostname handling has been identified. Specifically, the use of embedded-null characters in hostnames can trigger silent authority rebinding due to c-string truncation within resolver bindings. This issue impacts all supported Node.js release lines, which include Node.js 22, Node.js 24, and Node.js 26, posing potential risks to applications relying on proper hostname validation and secure communications.

Affected Version(s)

node 22.22.3

node 24.16.0

node 26.3.0

References

https://nodejs.org/en/blog/vulnerability/june-2026-securi...

CVSS V3.0

Score:

5.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-48930 Data

JSON

Nodejs

What is CVE-2026-48930?

Affected Version(s)

References

CVSS V3.0

Timeline