CVE-2026-41682

pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5.

CVSS

No CVSS.

References

Link	Resource
https://github.com/pupnp/pupnp/commit/def5f9a2bc42f5b3d713e37c516fbe840ce54b7b
https://github.com/pupnp/pupnp/releases/tag/release-1.18.5
https://github.com/pupnp/pupnp/security/advisories/GHSA-q522-6w45-4j58

Configurations

No configuration.

History

08 May 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-08 23:16

Updated : 2026-05-13 16:01

NVD link : CVE-2026-41682

Mitre link : CVE-2026-41682

CVE.ORG link : CVE-2026-41682

JSON object : View

Products Affected

No product.

CWE

CWE-195

Signed to Unsigned Conversion Error

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-41682", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-05-08T23:16:35.737", "references": [{"url": "https://github.com/pupnp/pupnp/commit/def5f9a2bc42f5b3d713e37c516fbe840ce54b7b", "source": "security-advisories@github.com"}, {"url": "https://github.com/pupnp/pupnp/releases/tag/release-1.18.5", "source": "security-advisories@github.com"}, {"url": "https://github.com/pupnp/pupnp/security/advisories/GHSA-q522-6w45-4j58", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-195"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5."}], "lastModified": "2026-05-13T16:01:30.177", "sourceIdentifier": "security-advisories@github.com"}

CVE-2026-41682

JSON object

Attach tags to CVE-2026-41682

Attach tags to `CVE-2026-41682`