Skip to main content

Coturn CVE-2026-43915

| EUVDEUVD-2026-37939 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-18 GitHub_M
5.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

PR:N captures the worst-case --no-auth anonymous path; S:C reflects XSS crossing from TURN client into authenticated admin session context.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.4 MEDIUM
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 18, 2026 - 21:02 EUVD
Source Code Evidence Fetched
Jun 18, 2026 - 20:07 vuln.today
Analysis Generated
Jun 18, 2026 - 20:07 vuln.today

DescriptionCVE.org

Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.11.0 contain a stored cross-site scripting (XSS) vulnerability in the web-admin HTTPS interface. An attacker who can create a TURN allocation with a crafted USERNAME value can inject HTML/JavaScript that executes when an authenticated web-admin user views the TURN session list. In configurations using anonymous TURN access (--no-auth), this may be exploitable without TURN credentials. In authenticated deployments, exploitation requires valid TURN credentials or control over a provisioned username. This issue has been fixed in version 4.11.0.

AnalysisAI

Stored XSS in Coturn's web-admin HTTPS interface (all versions prior to 4.11.0) allows a TURN-level attacker to inject persistent JavaScript that executes in an authenticated administrator's browser when they view the session list. The attack is staged via a crafted USERNAME value in a TURN Allocate request, bridging the TURN protocol surface into the web-admin UI context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send TURN Allocate request with XSS payload in USERNAME
Delivery
Server stores malicious value in session table
Exploit
Authenticated admin navigates to session list
Execution
Injected JavaScript executes in admin browser context
Impact
Exfiltrate admin session credentials or perform privileged admin actions

Vulnerability AssessmentAI

Exploitation Two distinct exploitation paths exist depending on deployment configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score of 5.4 (Medium) with vector AV:N/AC:L/PR:L/UI:R/S:C reflects the authenticated TURN case, but the CVE description explicitly identifies a more severe attack path in --no-auth deployments where TURN credentials are not required, effectively reducing the privilege requirement to PR:N and raising the real-world score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a Coturn deployment configured with --no-auth sends a TURN Allocate request to the public TURN port with a USERNAME value containing a JavaScript payload such as a fetch-based cookie exfiltration script. The server stores the crafted username in the active session table. …
Remediation Upgrade Coturn to version 4.11.0, which contains the vendor-released patch for this XSS along with several other security fixes including a format-string injection fix in the Redis DB driver (PR #1870) and a constant-time HMAC comparison hardening (PR #1869), making the upgrade broadly advisable beyond this single issue. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate

Share

CVE-2026-43915 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy