CVE-2026-48069
Received
Received - Intake
BaseFortify
Vulnerability report for CVE-2026-48069, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-14
Last updated on: 2026-07-14
Assigner: GitHub, Inc.
Description
Description
@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming compressed message can cause a client or server process that uses @grpc/grpc-js to crash. This issue is fixed in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grpc | grpc-js | 1.9.16 |
| grpc | grpc-js | 1.10.12 |
| grpc | grpc-js | 1.11.4 |
| grpc | grpc-js | 1.12.7 |
| grpc | grpc-js | 1.13.5 |
| grpc | grpc-js | 1.14.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |