What is CVE-2026-21715?

CVE-2026-21715 is a low-severity vulnerability in Nodejs Node. CVSS score: 3.3/10. Published 2026-03-30.

How severe is CVE-2026-21715?

Low severity. CVSS v3 base score is 3.3 out of 10.

Vulnerability in Nodejs Node

CVE-2026-21715

A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `…

EPSS: 0.000 (0.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.3 (Low). Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.

Affected products

Nodejs Node — versions 20.20.1, 22.22.1, 24.14.0

References

nodejs.org/en/blog/vulnerability/march-2026-security-releases

Frequently asked questions

What is CVE-2026-21715?: CVE-2026-21715 is a low-severity vulnerability in Nodejs Node. CVSS score: 3.3/10. Published 2026-03-30.
How severe is CVE-2026-21715?: Low severity. CVSS v3 base score is 3.3 out of 10.