SB2026052538 - Cross-site scripting in coTURN

Security Bulletin ID SB2026052538

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2026-43915)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script in the administrator's browser.

The vulnerability exists due to cross-site scripting in the web-admin HTTPS interface session list (/ps) when rendering a crafted TURN username value. A remote user can create a TURN allocation with a crafted username to execute arbitrary script in the administrator's browser.

In deployments using anonymous TURN access, exploitation may be possible without TURN credentials. User interaction is required when an authenticated web-admin user views the TURN session list.

Remediation

Install update from vendor's website.

References

https://github.com/coturn/coturn/security/advisories/GHSA-xxf5-9vj2-g84j