{"api_version":"1","generated_at":"2026-06-23T19:50:55+00:00","cve":"CVE-2026-49252","urls":{"html":"https://cve.report/CVE-2026-49252","api":"https://cve.report/api/cve/CVE-2026-49252.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-49252","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-49252"},"summary":{"title":"deepstream is vulnerable to prototype pollution","description":"deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5  are vulnerable to Prototype Pollution. Exploitation can lead to potential privilege escalation from any authenticated user with write permission to any record. This issue has been fixed in version 10.0.5.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-06-18 21:16:29","updated_at":"2026-06-23 15:59:21"},"problem_types":["CWE-1321","CWE-1321 CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"9.9","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"9.9","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":9.9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L","version":"3.1"}}],"references":[{"url":"https://github.com/deepstreamIO/deepstream.io/security/advisories/GHSA-9v98-6g37-x9g6","name":"https://github.com/deepstreamIO/deepstream.io/security/advisories/GHSA-9v98-6g37-x9g6","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/deepstreamIO/deepstream.io/commit/54b8e2958a98df444b5b5d9a66e22872afd84e44","name":"https://github.com/deepstreamIO/deepstream.io/commit/54b8e2958a98df444b5b5d9a66e22872afd84e44","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-49252","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49252","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"deepstreamIO","product":"deepstream.io","version":"affected < 10.0.5","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-49252","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-22T15:10:20.891417Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-22T15:11:26.795Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"deepstream.io","vendor":"deepstreamIO","versions":[{"status":"affected","version":"< 10.0.5"}]}],"descriptions":[{"lang":"en","value":"deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5  are vulnerable to Prototype Pollution. Exploitation can lead to potential privilege escalation from any authenticated user with write permission to any record. This issue has been fixed in version 10.0.5."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":9.9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1321","description":"CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-18T20:01:31.307Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/deepstreamIO/deepstream.io/security/advisories/GHSA-9v98-6g37-x9g6","tags":["x_refsource_CONFIRM"],"url":"https://github.com/deepstreamIO/deepstream.io/security/advisories/GHSA-9v98-6g37-x9g6"},{"name":"https://github.com/deepstreamIO/deepstream.io/commit/54b8e2958a98df444b5b5d9a66e22872afd84e44","tags":["x_refsource_MISC"],"url":"https://github.com/deepstreamIO/deepstream.io/commit/54b8e2958a98df444b5b5d9a66e22872afd84e44"}],"source":{"advisory":"GHSA-9v98-6g37-x9g6","discovery":"UNKNOWN"},"title":"deepstream is vulnerable to prototype pollution"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-49252","datePublished":"2026-06-18T20:01:31.307Z","dateReserved":"2026-05-28T14:33:01.179Z","dateUpdated":"2026-06-22T15:11:26.795Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-18 21:16:29","lastModifiedDate":"2026-06-23 15:59:21","problem_types":["CWE-1321","CWE-1321 CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":3.1,"impactScore":6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-22T15:10:20.891417Z","id":"CVE-2026-49252","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"49252","Ordinal":"1","Title":"deepstream is vulnerable to prototype pollution","CVE":"CVE-2026-49252","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"49252","Ordinal":"1","NoteData":"deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5  are vulnerable to Prototype Pollution. Exploitation can lead to potential privilege escalation from any authenticated user with write permission to any record. This issue has been fixed in version 10.0.5.","Type":"Description","Title":"deepstream is vulnerable to prototype pollution"}]}}}