CVE-2026-43915
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
In Coturn prior to version 4.11.0, a stored XSS vulnerability was found in the HTTPS web-admin interface. An attacker can create a TURN allocation with a crafted USERNAME value, causing HTML/JavaScript execution when an authenticated admin views the TURN session list.
Risk Assessment
The risk involves potential session hijacking of the admin, theft of credentials, or unauthorized actions in the admin panel. In configurations with anonymous TURN access (--no-auth), the vulnerability may be exploitable without TURN credentials.
Recommendation
Immediately update Coturn to version 4.11.0 or later. If updating is not possible, restrict access to the admin interface and enforce authentication for TURN allocations.
Original NVD description (English source)
Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.11.0 contain a stored cross-site scripting (XSS) vulnerability in the web-admin HTTPS interface. An attacker who can create a TURN allocation with a crafted USERNAME value can inject HTML/JavaScript that executes when an authenticated web-admin user views the TURN session list. In configurations using anonymous TURN access (--no-auth), this may be exploitable without TURN credentials. In authenticated deployments, exploitation requires valid TURN credentials or control over a provisioned username. This issue has been fixed in version 4.11.0.

