CVE-2026-41682
Received Received - Intake

pupnp SRRF Port Confusion via atoi() in parse_uri()

Vulnerability report for CVE-2026-41682, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description

pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-07-09
AI Q&A
2026-05-09
EPSS Evaluated
2026-07-08
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pupnp pupnp to 1.18.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-195 The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in pupnp, an SDK for UPnP device and control point applications, is due to port truncation caused by the use of atoi() in the parse_uri() function. This leads to SRRF port confusion, which means that the software incorrectly interprets port numbers, potentially causing security issues. This vulnerability existed prior to version 1.18.5 and has been fixed in that version.

Impact Analysis

This vulnerability can allow an attacker to exploit the incorrect port parsing to cause confusion in the network communication of UPnP devices or control points. This may lead to unauthorized access, misrouting of network traffic, or other security issues related to the handling of network ports.

Mitigation Strategies

The vulnerability in pupnp due to SRRF port confusion caused by port truncation via atoi() in parse_uri() has been patched in version 1.18.5.

To mitigate this vulnerability, you should immediately upgrade pupnp to version 1.18.5 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41682. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart