CVE-2026-48617

Description

A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

How to fix CVE-2026-48617

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Debian/nodejs—no fix listed

Is CVE-2026-48617 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-48617.

Affected packages (1)

from 0

CVSS scores

Source	Version	Severity	Vector
nvd	CVSS 3.0	LOW1.8	CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-48617