CVE-2026-59725 is a high-severity vulnerability affecting Socket.IO's Engine.IO protocol. Versions from 4.1.0 to 6.6.6 are affected. The issue allows unauthenticated attackers to cause a denial of service by exhausting server-side connections and sockets through invalid binary POST requests with Content-Type: application/octet-stream. This vulnerability is fixed in version 6.6.7. The vulnerability has a C [truncated]
CVE-2026-59724 is a denial of service vulnerability in Socket.IO Engine.IO versions 6.5.0 to 6.6.6. The issue arises from the improper handling of crafted session IDs during WebTransport upgrade handling, leading to a TypeError. This vulnerability has been addressed in version 6.6.7. Users should review their deployments and update to the patched version to prevent potential denial of service attacks.