{"cve":{"cve_id":"CVE-2026-48615","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":null,"epss_percentile":null,"epss_as_of":null,"description":"A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.\r\n\r\nWhen proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.","published_at":"2026-06-26T01:14:36.524000Z","last_modified_at":null,"cvss_v3_score":5.9,"cvss_v3_vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","cvss_v3_severity":"MEDIUM","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":["CWE-359"],"nvd_references":["https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-28T17:55:03.830140Z","updated_at":"2026-06-28T23:30:43.417816Z"},"effective_severity":"MEDIUM","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.0","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"H","value_label":"High"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"N","value_label":"None"},{"metric":"A","name":"Availability","value":"N","value_label":"None"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"nodejs","vendor_name":"nodejs","product_slug":"node","product_name":"node","version_start":"22.22.3","version_start_inclusive":true,"version_end":"22.22.3","version_end_inclusive":true,"cpe23_uri":"cve5:nodejs:node:22.22.3:22.22.3"},{"vendor_slug":"nodejs","vendor_name":"nodejs","product_slug":"node","product_name":"node","version_start":"24.16.0","version_start_inclusive":true,"version_end":"24.16.0","version_end_inclusive":true,"cpe23_uri":"cve5:nodejs:node:24.16.0:24.16.0"},{"vendor_slug":"nodejs","vendor_name":"nodejs","product_slug":"node","product_name":"node","version_start":"26.3.0","version_start_inclusive":true,"version_end":"26.3.0","version_end_inclusive":true,"cpe23_uri":"cve5:nodejs:node:26.3.0:26.3.0"}],"exploit_refs":[],"news":[],"references":[{"url":"https://nodejs.org/en/blog/vulnerability/june-2026-security-releases","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2026-06-26T01:14:36.524000Z","label":"CVE published","source":null}]}