CVE-2026-48617NVD

Vulnerability Summary

A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Severity Level

LOW(1.8)

Published Date

Jun 18, 2026

Last Modified

Jun 18, 2026

Exploitation Status

No confirmed exploitation yet

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-284: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v3.0 Base Metrics

Attack VectorLocal

Attack ComplexityHigh

Privileges RequiredHigh

User InteractionRequired

ScopeUnchanged

ConfidentialityNone

IntegrityLow

AvailabilityNone

External References

http://hackerone.com/reports/3692858
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases