One CVE affecting Node.js is included in the broader batch under improper input validation (CWE-20). No active exploitation evidence was present in source data. Note that Node.js also appears as a campaign-relevant runtime in both the RoadK1ll implant (SCC-CAM-2026-0126) and the Axios supply chain compromise (SCC-CAM-2026-0128), making Node.js runtime hygiene a broader theme for this period beyond this individual CVE. Verify affected Node.js versions and apply patches per the official Node.js security release page at nodejs.org/en/blog/vulnerability.