Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
PR:N captures the worst-case --no-auth anonymous path; S:C reflects XSS crossing from TURN client into authenticated admin session context.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.11.0 contain a stored cross-site scripting (XSS) vulnerability in the web-admin HTTPS interface. An attacker who can create a TURN allocation with a crafted USERNAME value can inject HTML/JavaScript that executes when an authenticated web-admin user views the TURN session list. In configurations using anonymous TURN access (--no-auth), this may be exploitable without TURN credentials. In authenticated deployments, exploitation requires valid TURN credentials or control over a provisioned username. This issue has been fixed in version 4.11.0.
AnalysisAI
Stored XSS in Coturn's web-admin HTTPS interface (all versions prior to 4.11.0) allows a TURN-level attacker to inject persistent JavaScript that executes in an authenticated administrator's browser when they view the session list. The attack is staged via a crafted USERNAME value in a TURN Allocate request, bridging the TURN protocol surface into the web-admin UI context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two distinct exploitation paths exist depending on deployment configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 score of 5.4 (Medium) with vector AV:N/AC:L/PR:L/UI:R/S:C reflects the authenticated TURN case, but the CVE description explicitly identifies a more severe attack path in --no-auth deployments where TURN credentials are not required, effectively reducing the privilege requirement to PR:N and raising the real-world score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a Coturn deployment configured with --no-auth sends a TURN Allocate request to the public TURN port with a USERNAME value containing a JavaScript payload such as a fetch-based cookie exfiltration script. The server stores the crafted username in the active session table. … |
| Remediation | Upgrade Coturn to version 4.11.0, which contains the vendor-released patch for this XSS along with several other security fixes including a format-string injection fix in the Redis DB driver (PR #1870) and a constant-time HMAC comparison hardening (PR #1869), making the upgrade broadly advisable beyond this single issue. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An exploitable heap out-of-bounds read vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. R
An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. Rated h
Coturn TURN/STUN server contains an access control bypass that allows remote attackers to reach blocked internal address
Stack buffer overflow in Coturn's OAuth token decoder (decode_oauth_token_gcm()) lets remote unauthenticated attackers c
Remote denial of service in Coturn TURN/STUN server allows unauthenticated attackers to crash ARM64 deployments with a s
In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. Rated
Server-side request forgery in coturn TURN/STUN server before 4.13.0 lets an authenticated TURN client bypass the defaul
SQL injection in the Coturn TURN/STUN server's HTTPS admin panel (versions prior to 4.12.0) allows an authenticated admi
Arbitrary file overwrite in Coturn prior to 4.13.0 is possible through the CLI management interface's `psd` (print sessi
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: ModerateShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37939