CVE-2026-48068
Received
Received - Intake
BaseFortify
Vulnerability report for CVE-2026-48068, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-14
Last updated on: 2026-07-14
Assigner: GitHub, Inc.
Description
Description
@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming HTTP/2 stream initiation can cause a server process created using @grpc/grpc-js to crash. This issue is fixed in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grpc | grpc-js | to 1.9.16 (exc) |
| grpc | grpc-js | 1.9.16 |
| grpc | grpc-js | 1.10.12 |
| grpc | grpc-js | 1.11.4 |
| grpc | grpc-js | 1.12.7 |
| grpc | grpc-js | 1.13.5 |
| grpc | grpc-js | 1.14.4 |
| murgatroid99 | @grpc | grpc-js |
| murgatroid99 | @grpc | From 1.10.0 (inc) to 1.14.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |