CVE Catalog

CVE-2026-48936

LowCVSS 3.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile — higher than 5% of all known CVEs

Summary

A flaw in Node.js Permission API allows starting a local server via a Unix domain socket, even without the `--allow-net` permission. This affects Node.js 26 release line.

Risk Assessment

An attacker can start an unauthorized local server, potentially leading to data leakage or further privilege escalation in the environment.

Recommendation

Immediately update Node.js to the latest patch version for line 26 and restrict access to Unix domain sockets in system configuration.

Original NVD description (English source)

A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS