Two HIGH-severity CVEs drive this one. CVE-2026-48933 is a WebCrypto AES integer overflow — pass subtle.encrypt() a payload that's a multiple of 2 GiB and the process crashes. CVE-2026-48618 is nastier conceptually: a Unicode dot separator handling bug in TLS wildcard matching lets hostname normalization diverge enough to bypass security boundaries. Both hit v22, v24, and v26. The remaining nine CVEs range from medium to low — proxy credential leakage, HTTP/2 memory exhaustion, mTLS hostname handling, and a handful of TLS session edge cases round out the list. Dependency bumps include llhttp 9.4.2, nghttp2 1.69.0, OpenSSL 3.5.7, and undici 8.5.0. Upgrade to v22.23.0, v24.17.0, or v26.3.1 depending on your line.