PatchSiren

websockets CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM websockets CVE published 2026-05-15

CVE-2026-45736

CVE-2026-45736 affects ws, the open source WebSocket client and server for Node.js. The issue is an uninitialized memory disclosure in websocket.close() when a TypedArray is supplied as the reason argument. The fix is in ws 8.20.1. The CVE was published on 2026-05-15 and last modified on 2026-05-18.