CVE-2026-41682

Source
https://cve.org/CVERecord?id=CVE-2026-41682
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41682.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41682
Aliases
  • GHSA-q522-6w45-4j58
Downstream
Related
Published
2026-05-08T22:47:37.494Z
Modified
2026-07-08T08:05:12.191598394Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
pupnp: Port truncation via atoi() cast in parse_uri() allows SSRF port confusion
Details

pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41682.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-195",
        "CWE-918"
    ]
}
References

Affected packages

Git / github.com/pupnp/pupnp

Affected ranges

Type
GIT
Repo
https://github.com/pupnp/pupnp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.18.5"
        }
    ]
}

Affected versions

Other
last_svn_trunk
release-1.*
release-1.10.0
release-1.10.1
release-1.12.0
release-1.14.0
release-1.14.1
release-1.14.10
release-1.14.11
release-1.14.12
release-1.14.13
release-1.14.14
release-1.14.15
release-1.14.16
release-1.14.17
release-1.14.18
release-1.14.19
release-1.14.2
release-1.14.20
release-1.14.21
release-1.14.22
release-1.14.23
release-1.14.24
release-1.14.25
release-1.14.26
release-1.14.27
release-1.14.28
release-1.14.29
release-1.14.3
release-1.14.30
release-1.14.4
release-1.14.5
release-1.14.6
release-1.14.7
release-1.14.8
release-1.14.9
release-1.18.0
release-1.18.1
release-1.18.2
release-1.18.3
release-1.18.4
release-1.8.0
release-1.8.1
release-1.8.2
release-1.8.3
release-1.8.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41682.json"