resolved
HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent`
Bug reported by 陳昱昇 was disclosed at June 25, 2026, 5:03 am | Time-of-check Time-of-use (TOCTOU) Race Condition
resolved
Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix)
Bug reported by Vitaly was disclosed at June 25, 2026, 5:03 am | Improper Access Control - Generic
resolved
Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat
Bug reported by Tasos Meletlidis was disclosed at June 25, 2026, 5:02 am | Improper Handling of Unicode Encoding
resolved
Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching
Bug reported by Tasos Meletlidis was disclosed at June 25, 2026, 5:01 am | Improper Access Control - Generic
resolved
TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections
Bug reported by 3d7omb was disclosed at June 25, 2026, 5:01 am | Exploiting Incorrectly Configured SSL/TLS
resolved
Permission Model bypass via FileHandle.utimes() in the promises API
Bug reported by Muhammad Daffa was disclosed at June 25, 2026, 5:00 am | Incorrect Default Permissions
resolved
Proxy credentials leaked in ERR_PROXY_TUNNEL error message
Bug reported by Ali Saifeldin was disclosed at June 25, 2026, 5:00 am | Privacy Violation
resolved
Unbounded memory growth in `node:http2` clients via attacker-controlled ORIGIN frames
Bug reported by kingsd was disclosed at June 25, 2026, 4:59 am | Uncontrolled Resource Consumption
resolved
Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings
Bug reported by Tasos Meletlidis was disclosed at June 25, 2026, 4:59 am | Improper Access Control - Generic
resolved
Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS)
Bug reported by Erichen was disclosed at June 25, 2026, 4:58 am | Integer Overflow
resolved
CVE-2026-11564: Native CA trust persist
Bug reported by Daniel Stenberg was disclosed at June 24, 2026, 8:30 am |
A vulnerability was discovered in the libcurl library where a native CA trust could persist after an easy handle switches to custom CA material. The vulnerability was found to affect builds of libcurl that enable the native CA trust feature. The issue stemmed from the fact that the library did not properly reset the native CA trust state when custom CA options were set, allowing the previously enabled native trust to remain active. This could lead to a potential trust policy bypass, where the library would continue to trust certificates from the native platform store even after the application had configured custom CA material.
resolved
CVE-2026-12064: proto-default skips SSH verification
Bug reported by alienowo was disclosed at June 24, 2026, 8:29 am | Improper Certificate Validation
resolved
CVE-2026-11586: WS Auto-PONG memory exhaustion
Bug reported by evergarden1123 was disclosed at June 24, 2026, 8:29 am | Allocation of Resources Without Limits or Throttling
resolved
CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop
Bug reported by vectorqueue was disclosed at June 24, 2026, 8:29 am | Uncontrolled Resource Consumption
resolved
CVE-2026-10536: HTTP/2 stream-dependency tree UAF
Bug reported by Anteater was disclosed at June 24, 2026, 8:28 am | Buffer Over-read
resolved
CVE-2026-8924: trailing dot domain super cookie
Bug reported by VEGA was disclosed at June 24, 2026, 8:28 am | Use of Incorrectly-Resolved Name or Reference
resolved
CVE-2026-9546: sending old referer
Bug reported by renjian was disclosed at June 24, 2026, 8:27 am | Use After Free
resolved
CVE-2026-9079: stale proxy password leak
Bug reported by Keenan was disclosed at June 24, 2026, 8:26 am | Information Disclosure
resolved
CVE-2026-9080: UAF after pause in socket callback
Bug reported by Anteater was disclosed at June 24, 2026, 8:25 am | Use After Free
resolved
CVE-2026-8286: wrong STARTTLS connection reuse
Bug reported by Daniel Stenberg was disclosed at June 24, 2026, 8:25 am |
A vulnerability was found in the Curl library that allowed a plain-text connection to reuse an existing SSL-upgraded connection without verifying the SSL configuration. This could lead to a man-in-the-middle attack if an attacker was able to intercept the initial STARTTLS upgrade. The issue was caused by the lack of a protocol-specific check for the SSL configuration when reusing a connection.
resolved
CVE-2026-8932: incomplete mTLS config matching in conn reuse
Bug reported by Anteater was disclosed at June 24, 2026, 8:25 am | Business Logic Errors
resolved
CVE-2026-8927: env-set cross-proxy Digest auth state leak
Bug reported by Ady Elouej was disclosed at June 24, 2026, 8:24 am | Improper Authentication - Generic
resolved
CVE-2026-8925: SASL double-free
Bug reported by Anteater was disclosed at June 24, 2026, 8:23 am | Double Free
resolved
CVE-2026-8926: password leak with netrc and user in URL
Bug reported by Anteater was disclosed at June 24, 2026, 8:23 am | Information Disclosure
resolved
CVE-2026-8458: wrong reuse for different services
Bug reported by was disclosed at June 24, 2026, 8:23 am | Authentication Bypass by Primary Weakness
resolved
Insufficient checks in the file path parameter allow writing to unauthorized directories
Bug reported by Axolot was disclosed at June 24, 2026, 7:03 am | External Control of File Name or Path
A directory traversal vulnerability was identified in the file upload functionality. Authenticated users could write files to parent directories outside the intended upload location by manipulating the path parameter. The issue was classified as Low severity due to limited impact. The vulnerability has been remediated through proper path sanitization.
resolved
CVE-2026-9545: exposing HTTP/3 early data
Bug reported by Eunsoo Kim was disclosed at June 24, 2026, 6:24 am | Improper Certificate Validation
resolved
CVE-2026-11856: cross-origin Digest auth state leak
Bug reported by John was disclosed at June 24, 2026, 6:21 am | Information Exposure Through Sent Data
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
