Skip to main content

Overview

Node.js has announced critical security updates addressing 12 vulnerabilities across its product lines. Two high-severity flaws which can lead to denial-of service and authentication bypass have been patched.

The most serious vulnerability affects the WebCrypto API and can trigger a process crash when handling specially crafted inputs. The other high-severity vulnerability concerns improper handling of code which could enable attackers to bypass authentications and compromise data confidentiality. 

  • CVE-2026-48933: WebCrypto Overflow Remote Denial-of-Service (DoS) (CVSSv3.1 TBD, High-severity) 
  • CVE-2026-48618: TLS Unicode Dot Separator Authentication Bypass (CVSSv3.1 TBD, High-severity) 

Affected versions:

  • Node.js Versions 22.x, 24.x and 26.x 

 

F5 has published details of a critical vulnerability and associated mitigations in their NGINX product line. The vulnerability occurs when NGINX is configured to use the HTTP/3 QUIC module, enabling a remote unauthenticated attacker to cause denial-of-service (DoS) or escalate to full Remote Code Execution (RCE). 

  • CVE-2026-42530: NGINX ‘Use-After-Free' Vulnerability (CVSSv4.0 9.2) 

Affected versions: 

  • NGINX Open Source (Versions 1.31.0 – 1.31.1) 
  • NGINX Instance Manager (Versions 2.17.0 – 2.22.0) 
  • NGINX Gateway Fabric (Versions 1.30.0 – 1.6.2, 2.0.0 – 2.6.3) 
  • NGINX Ingress Controller (Versions 3.5.0 – 3.7.2, 4.0.0 – 4.0.1, 5.0.0 – 5.5.0)
     

Splunk has released a security advisory to address a critical vulnerability in Splunk Enterprise. Successful exploitation could allow an unauthenticated attacker to manipulate files and potentially execute arbitrary code on affected systems. 

  • CVE-2026-20253 – ‘Missing Authentication for Critical Function’ vulnerability –(CVSS 3.1 score: 9.8) 

Affected versions:  

  • Splunk Enterprise (Versions 10.0. X – prior to 10.0.7) 
  • Splunk Enterprise (Versions 10.2. X – prior to 10.2.4) 

Recommended Action    

Organisation are encouraged to review the appropriate security pages and apply the necessary updates: 

Node.js – June 2026 Security Releases 

F5 – Security Advisory (K000161616) 

Splunk  Advisories: SVD-2026-0603

Topics

  • Advisory
  • Vulnerability
  • Exploit
  • Patches and Updates