cbcvebase.
CVE-2026-48779
published 2026-06-17

CVE-2026-48779: ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to…

PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.73%
49.4th percentile
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vulnerability. A peer can send a high volume of exceptionally small fragments and data chunks, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process termination due to OOM. This issue has been fixed in versions 5.2.5, 6.2.4, 7.5.11, and 8.21.0.

Affected

74 ranges· showing 25
VendorProductVersion rangeFixed in
ansible-automation-platform-24lightspeed-rhel8
ansible-automation-platform-25lightspeed-rhel8
ansible-automation-platform-26gateway-rhel9
ansible-automation-platform-26lightspeed-rhel9
ansible-automation-platform-27gateway-rhel9
ansible-automation-platform-27lightspeed-rhel9
ansible-automation-platformautomation-portal
ansible-automation-platformbootc-automation-portal-rhel9
apachethrift
container-native-virtualizationkubevirt-console-plugin
container-native-virtualizationkubevirt-console-plugin-rhel9
cryostatcryostat-openshift-console-plugin-rhel9
debianceph
devspacescode-rhel9
devspacesdashboard-rhel9
discoverydiscovery-ui-rhel9
gatekeepergatekeeper-rhel9
grafanagrafana
odf4mcg-core-rhel9
odf4odf-console-rhel9
openshift-lightspeedlightspeed-console-plugin-419-rhel9
openshift-lightspeedlightspeed-console-plugin-pf5-rhel9
openshift-lightspeedlightspeed-console-plugin-rhel9
openshift-pipelinespipelines-console-plugin-pf5-rhel9
openshift-pipelinespipelines-console-plugin-rhel8

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvelistv5v3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.