CVE-2026-48615
HIGHDescription
A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| nodejs | node.js |
| nodejs | node.js |
| nodejs | node.js |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2026-48615? +
How severe is CVE-2026-48615? +
What products are affected by CVE-2026-48615? +
How do I check if I'm vulnerable to CVE-2026-48615? +
Related Vulnerabilities
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full …
An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 …
In Gemini iOS, when a user shared a snippet of a conversation, it would share the entire conversation via a …
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions …
gpp-burgerportaal is a Dutch government citizen portal application. In versions before 2.0.3, 3.0.2, and 4.0.1, the name and email address …
Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere …