VDB
CVE-2026-27889
CVE-2026-27889
PUBLISHED
NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
EPSS 0.09% · 26.3th percentile
Risk Scores
EPSS Score
0.09%
26.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | nats | 2.12.0, 2.2.0 |
Exploit Intelligence
- CIRCL seen: CVE-2026-27889 (circl-sighting)
- CIRCL seen: CVE-2026-27889 (circl-sighting)
- CIRCL seen: CVE-2026-27889 (circl-sighting)
- CIRCL seen: CVE-2026-27889 (circl-sighting)
- https://github.com/nats-io/nats-server/security/advisories/GHSA-pq2q-rcw4-3hr6 (circl)
- https://advisories.nats.io/CVE/secnote-2026-03.txt (circl)
- probe_messaging.go (github-poc)
- probe_messaging.go (github-poc)
- probe_messaging.go (github-poc)
- probe_messaging.go (github-poc)
…and 3 more exploits
Timeline
- Mar 25, 2026 CVE Published
- Mar 25, 2026 Coalition ESS Score
- Mar 25, 2026 PoC Published
- Mar 25, 2026 PoC Published
- Mar 25, 2026 PoC Published
- Mar 26, 2026 Security Advisory
- Mar 26, 2026 PoC Published
- Mar 27, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score