From 694c63412092150830820aeb6cc2b64f06ec56e3 Mon Sep 17 00:00:00 2001
From: Create or Update Pull Request Action
 <create-or-update-pull-request@users.noreply.github.com>
Date: Thu, 18 Jun 2026 16:26:28 +0000
Subject: [PATCH] vuln: update core index.json

---
 vuln/core/index.json | 174 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 174 insertions(+)

diff --git a/vuln/core/index.json b/vuln/core/index.json
index 82182257..24abee36 100644
--- a/vuln/core/index.json
+++ b/vuln/core/index.json
@@ -2314,5 +2314,179 @@
       "all"
     ],
     "severity": "medium"
+  },
+  "172": {
+    "cve": [
+      "CVE-2026-48615"
+    ],
+    "vulnerable": "22.x || 24.x || 26.x",
+    "patched": "^22.23.0 || ^24.17.0 || ^26.3.1",
+    "ref": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
+    "description": "Proxy credentials leaked in ERR_PROXY_TUNNEL error message",
+    "overview": "A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.\n\nWhen proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.\n\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
+    "affectedEnvironments": [
+      "all"
+    ],
+    "severity": "medium"
+  },
+  "173": {
+    "cve": [
+      "CVE-2026-48617"
+    ],
+    "vulnerable": "22.x || 24.x || 26.x",
+    "patched": "^22.23.0 || ^24.17.0 || ^26.3.1",
+    "ref": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
+    "description": "Permission Model Bypass via `process.report.writeReport()` Path Misvalidation",
+    "overview": "A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation.\n\nThis can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.\n\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
+    "affectedEnvironments": [
+      "all"
+    ],
+    "severity": "low"
+  },
+  "174": {
+    "cve": [
+      "CVE-2026-48618"
+    ],
+    "vulnerable": "22.x || 24.x || 26.x",
+    "patched": "^22.23.0 || ^24.17.0 || ^26.3.1",
+    "ref": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
+    "description": "Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat",
+    "overview": "A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.\n\nThis can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.\n\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
+    "affectedEnvironments": [
+      "all"
+    ],
+    "severity": "high"
+  },
+  "175": {
+    "cve": [
+      "CVE-2026-48619"
+    ],
+    "vulnerable": "22.x || 24.x || 26.x",
+    "patched": "^22.23.0 || ^24.17.0 || ^26.3.1",
+    "ref": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
+    "description": "Unbounded memory growth in `node:http2` clients via attacker-controlled ORIGIN frames",
+    "overview": "A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.\n\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
+    "affectedEnvironments": [
+      "all"
+    ],
+    "severity": "medium"
+  },
+  "176": {
+    "cve": [
+      "CVE-2026-48937"
+    ],
+    "vulnerable": "22.x || 24.x",
+    "patched": "^22.23.0 || ^24.17.0",
+    "ref": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
+    "description": "HTTP/2 sessions never clean up after GOAWAY on invalid protocol errors",
+    "overview": "A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame.\n\nThis vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.",
+    "affectedEnvironments": [
+      "all"
+    ],
+    "severity": "medium"
+  },
+  "177": {
+    "cve": [
+      "CVE-2026-48928"
+    ],
+    "vulnerable": "22.x || 24.x || 26.x",
+    "patched": "^22.23.0 || ^24.17.0 || ^26.3.1",
+    "ref": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
+    "description": "Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching",
+    "overview": "A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.\n\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
+    "affectedEnvironments": [
+      "all"
+    ],
+    "severity": "medium"
+  },
+  "178": {
+    "cve": [
+      "CVE-2026-48930"
+    ],
+    "vulnerable": "22.x || 24.x || 26.x",
+    "patched": "^22.23.0 || ^24.17.0 || ^26.3.1",
+    "ref": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
+    "description": "Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings",
+    "overview": "A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings.\n\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
+    "affectedEnvironments": [
+      "all"
+    ],
+    "severity": "medium"
+  },
+  "179": {
+    "cve": [
+      "CVE-2026-48934"
+    ],
+    "vulnerable": "22.x || 24.x || 26.x",
+    "patched": "^22.23.0 || ^24.17.0 || ^26.3.1",
+    "ref": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
+    "description": "TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections",
+    "overview": "A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.\n\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
+    "affectedEnvironments": [
+      "all"
+    ],
+    "severity": "medium"
+  },
+  "180": {
+    "cve": [
+      "CVE-2026-48935"
+    ],
+    "vulnerable": "22.x || 24.x || 26.x",
+    "patched": "^22.23.0 || ^24.17.0 || ^26.3.1",
+    "ref": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
+    "description": "Permission Model bypass via FileHandle.utimes() in the promises API",
+    "overview": "A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`.\n\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
+    "affectedEnvironments": [
+      "all"
+    ],
+    "severity": "low"
+  },
+  "181": {
+    "cve": [
+      "CVE-2026-48936"
+    ],
+    "vulnerable": "26.x",
+    "patched": "^26.3.1",
+    "ref": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
+    "description": "Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix)",
+    "overview": "A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission.\n\nThis vulnerability affects one supported release line: **Node.js 26**.",
+    "affectedEnvironments": [
+      "aix",
+      "darwin",
+      "freebsd",
+      "linux",
+      "openbsd",
+      "sunos",
+      "android"
+    ],
+    "severity": "low"
+  },
+  "182": {
+    "cve": [
+      "CVE-2026-48931"
+    ],
+    "vulnerable": "22.x || 24.x || 26.x",
+    "patched": "^22.23.0 || ^24.17.0 || ^26.3.1",
+    "ref": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
+    "description": "HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent`",
+    "overview": "A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request.\n\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
+    "affectedEnvironments": [
+      "all"
+    ],
+    "severity": "low"
+  },
+  "183": {
+    "cve": [
+      "CVE-2026-48933"
+    ],
+    "vulnerable": "22.x || 24.x || 26.x",
+    "patched": "^22.23.0 || ^24.17.0 || ^26.3.1",
+    "ref": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
+    "description": "Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS)",
+    "overview": "A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.\n\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.\n",
+    "affectedEnvironments": [
+      "all"
+    ],
+    "severity": "high"
   }
 }
\ No newline at end of file