HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent`

Bug reported by 陳昱昇 was disclosed at June 25, 2026, 5:03 am   |   Time-of-check Time-of-use (TOCTOU) Race Condition

Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix)

Bug reported by Vitaly was disclosed at June 25, 2026, 5:03 am   |   Improper Access Control - Generic

Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat

Bug reported by Tasos Meletlidis was disclosed at June 25, 2026, 5:02 am   |   Improper Handling of Unicode Encoding

Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching

Bug reported by Tasos Meletlidis was disclosed at June 25, 2026, 5:01 am   |   Improper Access Control - Generic

TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections

Bug reported by 3d7omb was disclosed at June 25, 2026, 5:01 am   |   Exploiting Incorrectly Configured SSL/TLS

Permission Model bypass via FileHandle.utimes() in the promises API

Bug reported by Muhammad Daffa was disclosed at June 25, 2026, 5:00 am   |   Incorrect Default Permissions

Proxy credentials leaked in ERR_PROXY_TUNNEL error message

Bug reported by Ali Saifeldin was disclosed at June 25, 2026, 5:00 am   |   Privacy Violation

Unbounded memory growth in `node:http2` clients via attacker-controlled ORIGIN frames

Bug reported by kingsd was disclosed at June 25, 2026, 4:59 am   |   Uncontrolled Resource Consumption

Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings

Bug reported by Tasos Meletlidis was disclosed at June 25, 2026, 4:59 am   |   Improper Access Control - Generic

Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS)

Bug reported by Erichen was disclosed at June 25, 2026, 4:58 am   |   Integer Overflow

CVE-2026-11564: Native CA trust persist

Bug reported by Daniel Stenberg was disclosed at June 24, 2026, 8:30 am   |  

A vulnerability was discovered in the libcurl library where a native CA trust could persist after an easy handle switches to custom CA material. The vulnerability was found to affect builds of libcurl that enable the native CA trust feature. The issue stemmed from the fact that the library did not properly reset the native CA trust state when custom CA options were set, allowing the previously enabled native trust to remain active. This could lead to a potential trust policy bypass, where the library would continue to trust certificates from the native platform store even after the application had configured custom CA material.

CVE-2026-12064: proto-default skips SSH verification

Bug reported by alienowo was disclosed at June 24, 2026, 8:29 am   |   Improper Certificate Validation

CVE-2026-11586: WS Auto-PONG memory exhaustion

Bug reported by evergarden1123 was disclosed at June 24, 2026, 8:29 am   |   Allocation of Resources Without Limits or Throttling

CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop

Bug reported by vectorqueue was disclosed at June 24, 2026, 8:29 am   |   Uncontrolled Resource Consumption

CVE-2026-10536: HTTP/2 stream-dependency tree UAF

Bug reported by Anteater was disclosed at June 24, 2026, 8:28 am   |   Buffer Over-read

CVE-2026-8924: trailing dot domain super cookie

Bug reported by VEGA was disclosed at June 24, 2026, 8:28 am   |   Use of Incorrectly-Resolved Name or Reference

CVE-2026-9546: sending old referer

Bug reported by renjian was disclosed at June 24, 2026, 8:27 am   |   Use After Free

CVE-2026-9079: stale proxy password leak

Bug reported by Keenan was disclosed at June 24, 2026, 8:26 am   |   Information Disclosure

CVE-2026-9080: UAF after pause in socket callback

Bug reported by Anteater was disclosed at June 24, 2026, 8:25 am   |   Use After Free

CVE-2026-8286: wrong STARTTLS connection reuse

Bug reported by Daniel Stenberg was disclosed at June 24, 2026, 8:25 am   |  

A vulnerability was found in the Curl library that allowed a plain-text connection to reuse an existing SSL-upgraded connection without verifying the SSL configuration. This could lead to a man-in-the-middle attack if an attacker was able to intercept the initial STARTTLS upgrade. The issue was caused by the lack of a protocol-specific check for the SSL configuration when reusing a connection.

CVE-2026-8932: incomplete mTLS config matching in conn reuse

Bug reported by Anteater was disclosed at June 24, 2026, 8:25 am   |   Business Logic Errors

CVE-2026-8927: env-set cross-proxy Digest auth state leak

Bug reported by Ady Elouej was disclosed at June 24, 2026, 8:24 am   |   Improper Authentication - Generic

CVE-2026-8925: SASL double-free

Bug reported by Anteater was disclosed at June 24, 2026, 8:23 am   |   Double Free

CVE-2026-8926: password leak with netrc and user in URL

Bug reported by Anteater was disclosed at June 24, 2026, 8:23 am   |   Information Disclosure

CVE-2026-8458: wrong reuse for different services

Bug reported by was disclosed at June 24, 2026, 8:23 am   |   Authentication Bypass by Primary Weakness

Insufficient checks in the file path parameter allow writing to unauthorized directories

Bug reported by Axolot was disclosed at June 24, 2026, 7:03 am   |   External Control of File Name or Path

A directory traversal vulnerability was identified in the file upload functionality. Authenticated users could write files to parent directories outside the intended upload location by manipulating the path parameter. The issue was classified as Low severity due to limited impact. The vulnerability has been remediated through proper path sanitization.

CVE-2026-9545: exposing HTTP/3 early data

Bug reported by Eunsoo Kim was disclosed at June 24, 2026, 6:24 am   |   Improper Certificate Validation

CVE-2026-11856: cross-origin Digest auth state leak

Bug reported by John was disclosed at June 24, 2026, 6:21 am   |   Information Exposure Through Sent Data