Synopsis
| Issued | 2026-06-22 |
| Severity | Awaiting Analysis |
| Updated Packages | kusanagi-nodejs22 |
| Affected Products | KUSANAGI 9, Business Edition, Page Speed Technology, Security Edition |
Description
An update for kusanagi-nodejs22 is now available.
Security fix(es):
- (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
- (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
- (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
- (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
- (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
- (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
- (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
- (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
- (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
- (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
- (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE information may not yet be available on those websites.
References
- CVE-2026-48618
- CVE-2026-48933
- CVE-2026-48937
- CVE-2026-48930
- CVE-2026-48619
- CVE-2026-48615
- CVE-2026-48934
- CVE-2026-48928
- CVE-2026-48617
- CVE-2026-48931
- CVE-2026-48935
