VYPR

Daphne

by Djangoproject

Source repositories

CVEs (2)

  • CVE-2026-44545MedJun 3, 2026
    risk 0.34cvss 5.3epss 0.00

    daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing…

  • CVE-2026-44546LowJun 3, 2026
    risk 0.24cvss 3.7epss 0.00

    daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and…