The two leads are worth knowing by name. CVE-2026-48933 is a WebCrypto AES integer overflow that can crash the process — every maintained line (v22, v24, v26) is affected. CVE-2026-48618 is a TLS wildcard-depth authentication bypass exploitable via unicode hostname crafting, also HIGH severity across all three release lines. Eleven additional medium and low CVEs round out the release. Upgrade to v22.23.0, v24.17.0, or v26.3.1 depending on your line. The process-crash vector on the WebCrypto flaw means this affects production stability, not just security posture.