Is CVE-2026-48930 in the CISA Known Exploited Vulnerabilities catalog?

CVE-2026-48930 is not currently listed in the CISA KEV catalog.

Vulnerability intelligence

CVE-2026-48930

CVE-2026-48930: embedded nul-bytes in hostnames cause silent authority rebinding via C-string truncation. Node.js 22, 24, and 26 affected. The severity dispute exposes a scoring system failure.

2026

What WebPulse reported · 1 analysis

Node.js TLS Hostname Bypass: NVD Says CVSS 9.8. HackerOne Says 5.6. Every Framework Built on Node Is Caught in the Middle.

CVE-2026-48930: embedded nul-bytes in hostnames cause silent authority rebinding via C-string truncation. Node.js 22, 24, and 26 affected. The severity dispute

June 28, 2026

View CVE-2026-48930 on the NIST National Vulnerability Database →

Related vulnerabilities

CVE-2026-9082 CVE-2026-8206 CVE-2026-48019 CVE-2026-35273 CVE-2026-11645 CVE-2026-8181 CVE-2026-47291 CVE-2026-45657