What is CVE-2026-49252?

CVE-2026-49252 is a critical-severity vulnerability in Deepstreamio Deepstream.io, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 9.9/10. Published 2026-06-18.

How severe is CVE-2026-49252?

Critical severity. CVSS v3 base score is 9.9 out of 10.

Prototype Pollution in Deepstreamio Deepstream.io

CVE-2026-49252

deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5 are vulnerable to Prototype Pollution. Exploitation can lead to potential privilege escalation fr…

Vulnerability class: Prototype Pollution

CVSS v3 metric

CVSS v3 base score 9.9 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L.

Affected products

Deepstreamio Deepstream.io — versions < 10.0.5

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-49252?: CVE-2026-49252 is a critical-severity vulnerability in Deepstreamio Deepstream.io, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 9.9/10. Published 2026-06-18.
How severe is CVE-2026-49252?: Critical severity. CVSS v3 base score is 9.9 out of 10.