Vendor
Deepstream server versions up to and including 10.0.4 are vulnerable to prototype pollution (CVE-2026-49252), a critical flaw allowing any authenticated user with write permissions to any record to potentially escalate their privileges; the vulnerability is patched in version 10.0.5.