What is GHSA-rrc9-mx66-ffcm?

GHSA-rrc9-mx66-ffcm is a security advisory published by GitHub Security Advisories with Medium severity. daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's...

Which CVE IDs does GHSA-rrc9-mx66-ffcm cover?

GHSA-rrc9-mx66-ffcm covers the following CVE IDs: CVE-2026-44545. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-rrc9-mx66-ffcm?

GHSA-rrc9-mx66-ffcm has a CVSS v3 base score of 5.3, published by GitHub Security Advisories.

GHSA-rrc9-mx66-ffcmMediumCVSS 5.3

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's...

Vendor

GitHub Security Advisories

Published

June 3, 2026

Last Modified

June 3, 2026

🔗 CVE IDs covered (1)

CVE-2026-44545 →

📋 Description

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.

🔗 References (3)

https://nvd.nist.gov/vuln/detail/CVE-2026-44545
https://github.com/django/daphne/blob/main/CHANGELOG.txt
https://github.com/advisories/GHSA-rrc9-mx66-ffcm