PatchSiren

OpenTelemetry CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH OpenTelemetry CVE published 2026-05-27

CVE-2026-44902

A vulnerability in the OpenTelemetry JavaScript Prometheus exporter allows remote attackers to crash Node.js processes via malformed HTTP requests. The metrics endpoint (default 0.0.0.0:9464) lacks error handling for URL parsing, causing an uncaught TypeError that terminates the process. This affects versions prior to 0.217.0. The vulnerability was published on 2026-05-27 and carries a HIGH severity CVSS [truncated]