Skip to main content

XX-Net CVE-2026-10099

| EUVDEUVD-2026-33346 MEDIUM
Improper Validation of Syntactic Correctness of Input (CWE-1286)
2026-05-29 disclosure@vulncheck.com GHSA-cwjv-w927-x7gr
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
May 29, 2026 - 16:55 vuln.today
Analysis Generated
May 29, 2026 - 16:55 vuln.today

DescriptionCVE.org

XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations.

AnalysisAI

WebSocket frame parsing in XX-Net V5.16.6 corrupts application-layer data when the local HTTP server's WebSocket_receive_worker routine unconditionally consumes 4 bytes as a masking key regardless of the RFC 6455 MASK bit, causing payload data to be silently misinterpreted. Attackers with local system access and no privileges can send unmasked WebSocket frames to the embedded simple_http_server.py endpoint, causing the first 4 bytes of any payload to be misread as a mask key and the remainder to be incorrectly XOR-decoded. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local access to XX-Net host
Delivery
Connect to locally bound WebSocket endpoint
Exploit
Craft frame with MASK bit cleared
Execution
Server misreads payload bytes as mask key
Persist
Remaining payload XOR-decoded with wrong key
Impact
Corrupt data delivered to XX-Net application layer

Vulnerability AssessmentAI

Exploitation The CVSS 4.0 vector AV:L/PR:N/UI:N specifies that exploitation requires local system-level access (same host as XX-Net) but no privileges and no user interaction. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 (Medium) with vector AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N reflects a constrained real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with local access to a machine running XX-Net V5.16.6 - such as a low-privileged local user, a co-tenant in a shared environment, or malware already present on the host - connects to the locally bound XX-Net WebSocket endpoint and transmits WebSocket frames with the MASK bit cleared. The server misreads the first 4 payload bytes as a masking key and XOR-decodes the remainder against them, delivering silently corrupted data to the application layer; an attacker could leverage this to cause XX-Net to misprocess proxy instructions or application messages without triggering obvious errors. …
Remediation The upstream fix is available as GitHub commit a68b972a84ed6e52df9f30237cf47493b9231b53 (https://github.com/XX-net/XX-Net/commit/a68b972a84ed6e52df9f30237cf47493b9231b53) and the associated pull request #14170 (https://github.com/XX-net/XX-Net/pull/14170); however, a formally tagged and released patched version past V5.16.6 has not been independently confirmed - operators should monitor the XX-Net releases page for a version incorporating this commit. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10099 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy