← back
CVE-2026-49252

deepstream is vulnerable to prototype pollution

CVSS 9.9 CRITICALEPSS 0.3%CWE-1321
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.9EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
18 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5 are vulnerable to Prototype Pollution. Exploitation can lead to potential privilege escalation from any authenticated user with write permission to any record. This issue has been fixed in version 10.0.5.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Affected products
deepstreamIO · deepstream.io

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/deepstreamIO/deepstream.io/commit/54b8e2958a98df444b5b5d9a66e22872afd84e44https://github.com/deepstreamIO/deepstream.io/security/advisories/GHSA-9v98-6g37-x9g6