Medium severity4.4NVD Advisory· Published May 15, 2026· Updated May 16, 2026

CVE-2026-45736

Description

ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

Affected products

Websockets/Wsreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086nvd
github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpxnvd

News mentions

No linked articles in our index yet.

cvss	0.286
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000