{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43915", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-04T16:11:33.086Z", "datePublished": "2026-06-18T19:33:42.026Z", "dateUpdated": "2026-06-18T19:53:44.102Z"}, "containers": {"cna": {"title": "Coturn: Stored Cross-Site Scripting (XSS) in web-admin interface via TURN username", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/coturn/coturn/security/advisories/GHSA-xxf5-9vj2-g84j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/coturn/coturn/security/advisories/GHSA-xxf5-9vj2-g84j"}, {"name": "https://github.com/coturn/coturn/releases/tag/4.11.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/coturn/coturn/releases/tag/4.11.0"}], "affected": [{"vendor": "coturn", "product": "coturn", "versions": [{"version": "< 4.11.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-18T19:33:42.026Z"}, "descriptions": [{"lang": "en", "value": "Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.11.0 contain a stored cross-site scripting (XSS) vulnerability in the web-admin HTTPS interface. An attacker who can create a TURN allocation with a crafted USERNAME value can inject HTML/JavaScript that executes when an authenticated web-admin user views the TURN session list. In configurations using anonymous TURN access (--no-auth), this may be exploitable without TURN credentials. In authenticated deployments, exploitation requires valid TURN credentials or control over a provisioned username. This issue has been fixed in version 4.11.0."}], "source": {"advisory": "GHSA-xxf5-9vj2-g84j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-18T19:53:34.616522Z", "id": "CVE-2026-43915", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-18T19:53:44.102Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-43915", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-18T19:53:34.616522Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-18T19:53:36.851Z"}}], "cna": {"title": "Coturn: Stored Cross-Site Scripting (XSS) in web-admin interface via TURN username", "source": {"advisory": "GHSA-xxf5-9vj2-g84j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "coturn", "product": "coturn", "versions": [{"status": "affected", "version": "< 4.11.0"}]}], "references": [{"url": "https://github.com/coturn/coturn/security/advisories/GHSA-xxf5-9vj2-g84j", "name": "https://github.com/coturn/coturn/security/advisories/GHSA-xxf5-9vj2-g84j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/coturn/coturn/releases/tag/4.11.0", "name": "https://github.com/coturn/coturn/releases/tag/4.11.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.11.0 contain a stored cross-site scripting (XSS) vulnerability in the web-admin HTTPS interface. An attacker who can create a TURN allocation with a crafted USERNAME value can inject HTML/JavaScript that executes when an authenticated web-admin user views the TURN session list. In configurations using anonymous TURN access (--no-auth), this may be exploitable without TURN credentials. In authenticated deployments, exploitation requires valid TURN credentials or control over a provisioned username. This issue has been fixed in version 4.11.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-18T19:33:42.026Z"}}}, "cveMetadata": {"cveId": "CVE-2026-43915", "state": "PUBLISHED", "dateUpdated": "2026-06-18T19:53:44.102Z", "dateReserved": "2026-05-04T16:11:33.086Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-18T19:33:42.026Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "coturn: Coturn: Cross-Site Scripting (XSS) via crafted username in TURN allocation", "id": "2490558", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490558"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in Coturn. A remote attacker can exploit a stored Cross-Site Scripting (XSS) vulnerability in the web-admin HTTPS interface by creating a TURN allocation with a crafted username. This allows the attacker to inject malicious HTML or JavaScript code. When an authenticated web-admin user views the TURN session list, the injected code executes, potentially leading to information disclosure or unauthorized actions within the web-admin interface."], "mitigation": {"lang": "en:us", "value": "Restrict network access to the Coturn web-admin HTTPS interface to trusted administrative networks. Additionally, ensure that Coturn is configured to require authentication for all TURN allocations, preventing unauthenticated users from creating allocations with crafted usernames. This typically involves removing or avoiding the --no-auth option in the Coturn configuration. A restart of the Coturn service is necessary for these configuration changes to take effect."}, "name": "CVE-2026-43915", "public_date": "2026-06-18T19:33:42Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-43915\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43915\nhttps://github.com/coturn/coturn/releases/tag/4.11.0\nhttps://github.com/coturn/coturn/security/advisories/GHSA-xxf5-9vj2-g84j"], "statement": "This Moderate flaw in Coturn's web-admin HTTPS interface allows a remote attacker to perform stored Cross-Site Scripting. Exploitation requires an attacker to create a TURN allocation with a specially crafted username, which then executes when an authenticated administrator views the TURN session list. While requiring administrator interaction, configurations with anonymous TURN access could broaden the attack surface by not requiring TURN credentials.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.11.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "coturn", "source": "cna", "vendor": "coturn"}, "product": "coturn", "vendor": "coturn"}], "created": "2026-06-18T21:15:03.710349+00:00", "updated": "2026-06-18T21:15:03.849838+00:00", "vendors": ["coturn", "coturn$PRODUCT$coturn"]}