cbcvebase.
CVE-2026-45736
published 2026-05-15

CVE-2026-45736: ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory…

PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.72%
49.2th percentile
ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

Affected

71 ranges· showing 25
VendorProductVersion rangeFixed in
ansible-automation-platform-24lightspeed-rhel8
ansible-automation-platform-25lightspeed-rhel8
ansible-automation-platform-26gateway-rhel9
ansible-automation-platform-26lightspeed-rhel9
ansible-automation-platform-27gateway-rhel9
ansible-automation-platform-27lightspeed-rhel9
ansible-automation-platformautomation-portal
ansible-automation-platformbootc-automation-portal-rhel9
apachethrift
clusterlabspcs
container-native-virtualizationkubevirt-console-plugin
container-native-virtualizationkubevirt-console-plugin-rhel9
cryostatcryostat-openshift-console-plugin-rhel9
debianceph
discoverydiscovery-ui-rhel9
gatekeepergatekeeper-rhel9
grafanagrafana
mozillathunderbird
odf4mcg-core-rhel9
odf4ocs-client-console-rhel9
odf4odf-console-rhel9
odf4odf-multicluster-console-rhel9
openshift-lightspeedlightspeed-console-plugin-419-rhel9
openshift-lightspeedlightspeed-console-plugin-pf5-rhel9
openshift-lightspeedlightspeed-console-plugin-rhel9

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa4.4MEDIUM
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.