cbcvebase.
CVE-2026-48042
published 2026-06-26

CVE-2026-48042: Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object…

PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.56%
42.2th percentile
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Affected

8 ranges
VendorProductVersion rangeFixed in
envoyproxyenvoy< 1.35.111.35.11
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy>= 1.18.0 < 1.35.131.35.13
envoyproxyenvoy>= 1.36.0 < 1.36.91.36.9
envoyproxyenvoy>= 1.37.0 < 1.37.51.37.5
envoyproxyenvoy>= 1.38.0 < 1.38.31.38.3
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.