CVE-2026-41682
pupnp SRRF Port Confusion via atoi() in parse_uri()
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-195 | The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in pupnp, an SDK for UPnP device and control point applications, is due to port truncation caused by the use of atoi() in the parse_uri() function. This leads to SRRF port confusion, which means that the software incorrectly interprets port numbers, potentially causing security issues. This vulnerability existed prior to version 1.18.5 and has been fixed in that version.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to exploit the incorrect port parsing to cause confusion in the network communication of UPnP devices or control points. This may lead to unauthorized access, misrouting of network traffic, or other security issues related to the handling of network ports.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in pupnp due to SRRF port confusion caused by port truncation via atoi() in parse_uri() has been patched in version 1.18.5.
To mitigate this vulnerability, you should immediately upgrade pupnp to version 1.18.5 or later.