CVE-2026-48936
LowCVSS 3.3Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
A flaw in Node.js Permission API allows starting a local server via a Unix domain socket, even without the `--allow-net` permission. This affects Node.js 26 release line.
Risk Assessment
An attacker can start an unauthorized local server, potentially leading to data leakage or further privilege escalation in the environment.
Recommendation
Immediately update Node.js to the latest patch version for line 26 and restrict access to Unix domain sockets in system configuration.
Original NVD description (English source)
A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**.

