SB2026061833 - Uncontrolled Recursion in PUPnP

Description

This security bulletin contains information about 1 vulnerability.

1) Uncontrolled Recursion (CVE-ID: CVE-2026-55862)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled recursion in ixml recursive DOM tree traversal functions when processing deeply nested XML in SOAP requests. A remote attacker can send a specially crafted SOAP request containing deeply nested XML to cause a denial of service.

The XML parser itself processes the document iteratively, but subsequent internal SOAP processing can invoke recursive DOM functions such as ixmlPrintNode().

Remediation

Install update from vendor's website.

References

• https://github.com/pupnp/pupnp/security/advisories/GHSA-25cx-xv8x-j247
• https://github.com/pupnp/pupnp/commit/af1f8bc1