WebSocket fragmented message reassembly unbounded in bandit

Description

A vulnerability categorized as problematic has been discovered in mtrudel bandit up to 1.10.x. Affected is the function Elixir.Bandit.WebSocket.Connection in the library lib/bandit/websocket/connection.ex. Such manipulation leads to allocation of resources. This vulnerability is listed as CVE-2026-42786. The attack may be performed from remote. It is advisable to upgrade the affected component.

Affected Products

Vendor	Product	Versions
mtrudel	bandit	0.5.0, 8909391f486d42138c5308410bc5ea49a65f4d46

References

https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p(vendor-advisory, related)
https://cna.erlef.org/cves/CVE-2026-42786.html(related)
https://osv.dev/vulnerability/EEF-CVE-2026-42786(related)
https://github.com/mtrudel/bandit/commit/21612c7c7b1ce43eccd36d3af3a2299d23513667(patch)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-42786 | mtrudel bandit up to 1.10.x connection.ex Elixir.Bandit.WebSocket.Connection allocation of resources (GHSA-pf94-94m9-536p / EUVD-2026-26715)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.11.0

CWECWE-770

PublishedMay 1, 2026

Last enriched3h agov2

Trending Score45

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (4)

Version History

Last enriched 3h ago

v2Tier C3h ago

Updated description with new details, changed severity to HIGH, and noted that there is no available exploit.

descriptionseverity

via VulDB

v111h ago

Initial creation