Main Vulnerability Database Vulnerabilities #VU132278

Cross-site scripting in coTURN - CVE-2026-43915

Published: May 25, 2026

Vulnerability identifier: #VU132278

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-43915

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: coTURN

Affected software:
coTURN

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in the administrator's browser.

The vulnerability exists due to cross-site scripting in the web-admin HTTPS interface session list (/ps) when rendering a crafted TURN username value. A remote user can create a TURN allocation with a crafted username to execute arbitrary script in the administrator's browser.

In deployments using anonymous TURN access, exploitation may be possible without TURN credentials. User interaction is required when an authenticated web-admin user views the TURN session list.

How to mitigate CVE-2026-43915

Install security update from vendor's website.

Sources

https://github.com/coturn/coturn/security/advisories/GHSA-xxf5-9vj2-g84j

Cross-site scripting in coTURN - CVE-2026-43915

Detailed vulnerability description

How to mitigate CVE-2026-43915

Sources

Please verify you're human