CVE-2026-48937

NONE EPSS 35.6%
Published Jun 18, 20262w ago · Modified Jun 22, 20261w ago
Find Similar
Published Jun 18, 2026 2w ago
Last Modified Jun 22, 2026 1w ago

Description

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.

Threat Intelligence

EPSS Exploit Probability
35.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-400 Uncontrolled Resource Consumption Resource Mgmt

References 2

  • hackerone.com https://hackerone.com/reports/3658225
  • nodejs.org https://nodejs.org/en/blog/vulnerability/june-2026-security-releases

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.