pupnp: Port truncation via atoi() cast in parse

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5.

Basic Information

ID CVE-2026-41682

Source GitHub_M

Published May 8, 2026 at 22:47

Affected Product

Vendor pupnp

Product pupnp

Version < 1.18.5

Affected Versions pupnp pupnp < 1.18.5

CWE Classification

CWE-195 CWE-918

References

{
    "lastseen": "",
    "description": "pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5.",
    "published": "2026-05-08T22:47:37.494Z",
    "modified": "2026-05-08T22:47:37.494Z",
    "type": "cve",
    "title": "pupnp: Port truncation via atoi() cast in parse_uri() allows SSRF port confusion",
    "source": "GitHub_M",
    "references": "https://github.com/pupnp/pupnp/security/advisories/GHSA-q522-6w45-4j58\nhttps://github.com/pupnp/pupnp/commit/def5f9a2bc42f5b3d713e37c516fbe840ce54b7b\nhttps://github.com/pupnp/pupnp/releases/tag/release-1.18.5",
    "id": "CVE-2026-41682",
    "bulletinFamily": "",
    "cwe": [
        "CWE-195",
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "pupnp pupnp < 1.18.5",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "pupnp",
    "version": "< 1.18.5",
    "vendor": "pupnp",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

pupnp: Port truncation via atoi() cast in parse_uri() allows SSRF port confusion_CVE-2026-41682