SQL injection in coTURN - CVE-2026-53448
Published: June 30, 2026
coTURN
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in the HTTPS admin panel delete-user, delete-secret, and delete-IP operations when processing HTTP GET parameters. A remote privileged user can send specially crafted request parameters to execute arbitrary SQL commands.
Exploitation requires valid admin credentials and the web admin feature to be enabled. With a PostgreSQL backend, stacked queries may enable operating system command execution.