CVE-2026-10650

MEDIUM 5.3

warmcat libwebsockets SSH Protocol sshd.c lws_ssh_parse_plaintext resource consumption

CVSS Score

5.3

EPSS Score

0.1%

EPSS Percentile

17th

A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lws_ssh_parse_plaintext of the file plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue.

CWE	CWE-400 CWE-404
Vendor	warmcat
Product	libwebsockets
Published	Jun 2, 2026
Last Updated	Jun 3, 2026

Stay Ahead of the Next One

Get instant alerts for warmcat libwebsockets

Be the first to know when new medium vulnerabilities affecting warmcat libwebsockets are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

warmcat / libwebsockets

4.5.0 4.5.1 4.5.2 4.5.3 4.5.4 4.5.5 4.5.6 4.5.7 4.5.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/367955 vuldb.com: https://vuldb.com/vuln/367955/cti vuldb.com: https://vuldb.com/cve/CVE-2026-10650 vuldb.com: https://vuldb.com/submit/830261 github.com: https://github.com/biniamf/pocs/tree/main/libwebsockets_sshd-parse-ic-unbounded-alloc github.com: https://github.com/biniamf/pocs/blob/main/libwebsockets_sshd-parse-ic-unbounded-alloc/poc_sshd_unbounded_alloc.py github.com: https://github.com/warmcat/libwebsockets/commit/3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498 github.com: https://github.com/warmcat/libwebsockets/

Credits

🔍 biniam (VulDB User)