CVE-2026-41682
Received Received - Intake
pupnp SRRF Port Confusion via atoi() in parse_uri()

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41682
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pupnp pupnp to 1.18.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-195 The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in pupnp, an SDK for UPnP device and control point applications, is due to port truncation caused by the use of atoi() in the parse_uri() function. This leads to SRRF port confusion, which means that the software incorrectly interprets port numbers, potentially causing security issues. This vulnerability existed prior to version 1.18.5 and has been fixed in that version.

Impact Analysis

This vulnerability can allow an attacker to exploit the incorrect port parsing to cause confusion in the network communication of UPnP devices or control points. This may lead to unauthorized access, misrouting of network traffic, or other security issues related to the handling of network ports.

Mitigation Strategies

The vulnerability in pupnp due to SRRF port confusion caused by port truncation via atoi() in parse_uri() has been patched in version 1.18.5.

To mitigate this vulnerability, you should immediately upgrade pupnp to version 1.18.5 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41682. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart