CVE-2026-48937
NONE EPSS 35.6%
Published Jun 18, 20262w ago · Modified Jun 22, 20261w ago
Published Jun 18, 2026 2w ago
Last Modified Jun 22, 2026 1w ago
Description
A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.
Threat Intelligence
EPSS Exploit Probability
35.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-400 Uncontrolled Resource Consumption Resource Mgmt
References 2
- hackerone.com https://hackerone.com/reports/3658225
- nodejs.org https://nodejs.org/en/blog/vulnerability/june-2026-security-releases
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.