CVE-2026-48935: CWE-276 Incorrect Default Permissions in nodejs node – Live Threat Intelligence – Threat Radar
This vulnerability in Node.js arises from incorrect default permissions in the Permission API, which can lead to unauthorized modification of file metadata even on paths designated as read-only via options such as –allow-fs-read. The flaw affects the Node.js versions 22.22.3, 24.16.0, and 26.3.0. The CVSS 3.0 base score is 3.3, indicating low severity, with an attack vector requiring local access and low privileges. There is no evidence of known exploits in the wild, and no official remediation or patch has been documented at this time.
Read more here: Source link
