Vulnerability in Dunglas Mercure

CVE-2026-39972

Mercure is a protocol for pushing data updates to web browsers and other HTTP clients in a battery-efficient way. Prior to 0.22.0, a cache key collision vulnerability in TopicSelectorStore allows an attacker to poison the match result cach…

EPSS: 0.000 (11.0th percentile) — read the EPSS interpretation.

Affected products

Dunglas Mercure — versions < 0.22.0

Weakness classification (CWE)

CWE-1289

References

https://github.com/dunglas/mercure/security/advisories/GHSA-hwr4-mq23-wcv5 (x_refsource_CONFIRM)
https://github.com/dunglas/mercure/commit/4964a69be904fd61e35b5f1e691271663b6fdd64 (x_refsource_MISC)