CVE-2026-43915
published 2026-06-18CVE-2026-43915: Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.11.0 contain a stored cross-site scripting (XSS) vulnerability in the…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.14%
3.8th percentile
Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.11.0 contain a stored cross-site scripting (XSS) vulnerability in the web-admin HTTPS interface. An attacker who can create a TURN allocation with a crafted USERNAME value can inject HTML/JavaScript that executes when an authenticated web-admin user views the TURN session list. In configurations using anonymous TURN access (--no-auth), this may be exploitable without TURN credentials. In authenticated deployments, exploitation requires valid TURN credentials or control over a provisioned username. This issue has been fixed in version 4.11.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| coturn | coturn | < 4.11.0 | 4.11.0 |
| coturn_project | coturn | < 4.11.0 | 4.11.0 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-43915 coturn: Coturn: Cross-Site Scripting (XSS) via crafted username in TURN allocation [epel-all]
bugzilla·2026-06-19
CVE-2026-43915 [MEDIUM] CVE-2026-43915 coturn: Coturn: Cross-Site Scripting (XSS) via crafted username in TURN allocation [epel-all]
CVE-2026-43915 coturn: Coturn: Cross-Site Scripting (XSS) via crafted username in TURN allocation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-69da7ab3e5 (coturn-4.13.1-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-69da7ab3e5
---
FEDORA-EPEL-2026-f33139a01c (coturn-4.13.1-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-f33139a01c
---
FEDORA-EPEL-2026-48a6ee99c9 (coturn-4.13.1-1.el9) has been submitted as an update to Fedora
Bugzilla
CVE-2026-43915 coturn: Coturn: Cross-Site Scripting (XSS) via crafted username in TURN allocation [fedora-all]
bugzilla·2026-06-19
CVE-2026-43915 [MEDIUM] CVE-2026-43915 coturn: Coturn: Cross-Site Scripting (XSS) via crafted username in TURN allocation [fedora-all]
CVE-2026-43915 coturn: Coturn: Cross-Site Scripting (XSS) via crafted username in TURN allocation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-dda1360c18 (coturn-4.13.1-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-dda1360c18
---
FEDORA-2026-c42d951aad (coturn-4.13.1-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-c42d951aad
Bugzilla
CVE-2026-43915 coturn: Coturn: Cross-Site Scripting (XSS) via crafted username in TURN allocation
bugzilla·2026-06-18
CVE-2026-43915 [MEDIUM] CVE-2026-43915 coturn: Coturn: Cross-Site Scripting (XSS) via crafted username in TURN allocation
CVE-2026-43915 coturn: Coturn: Cross-Site Scripting (XSS) via crafted username in TURN allocation
Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.11.0 contain a stored cross-site scripting (XSS) vulnerability in the web-admin HTTPS interface. An attacker who can create a TURN allocation with a crafted USERNAME value can inject HTML/JavaScript that executes when an authenticated web-admin user views the TURN session list. In configurations using anonymous TURN access (--no-auth), this may be exploitable without TURN credentials. In authenticated deployments, exploitation requires valid TURN credentials or control over a provisioned username. This issue has been fixed in version 4.11.0.
2026-06-18
Published