CVE Catalog

CVE-2026-43915

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile — higher than 4% of all known CVEs

Summary

In Coturn prior to version 4.11.0, a stored XSS vulnerability was found in the HTTPS web-admin interface. An attacker can create a TURN allocation with a crafted USERNAME value, causing HTML/JavaScript execution when an authenticated admin views the TURN session list.

Risk Assessment

The risk involves potential session hijacking of the admin, theft of credentials, or unauthorized actions in the admin panel. In configurations with anonymous TURN access (--no-auth), the vulnerability may be exploitable without TURN credentials.

Recommendation

Immediately update Coturn to version 4.11.0 or later. If updating is not possible, restrict access to the admin interface and enforce authentication for TURN allocations.

Original NVD description (English source)

Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.11.0 contain a stored cross-site scripting (XSS) vulnerability in the web-admin HTTPS interface. An attacker who can create a TURN allocation with a crafted USERNAME value can inject HTML/JavaScript that executes when an authenticated web-admin user views the TURN session list. In configurations using anonymous TURN access (--no-auth), this may be exploitable without TURN credentials. In authenticated deployments, exploitation requires valid TURN credentials or control over a provisioned username. This issue has been fixed in version 4.11.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS