CVE-2026-48935 — LOW (3.3) — White Hats Nepal

Vulnerability Description

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

CVSS Score

3.3

LOW

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Nodejs	Node.Js	22.22.3

Related Weaknesses (CWE)

CWE-276

References

https://nodejs.org/en/blog/vulnerability/june-2026-security-releasesPatchVendor Advisory

FAQ

What is CVE-2026-48935?

CVE-2026-48935 is a vulnerability with a CVSS score of 3.3 (LOW). A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. This vulnerability affects all supported release line...

How severe is CVE-2026-48935?

CVE-2026-48935 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-48935?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js.