CVE-2026-10099
4.0 MEDIUMXX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that all...
Published: 2026-05-29 · Last updated: 2026-06-01
Severity and scoring
- CVSS
- 4.0 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- CWE
- CWE-1286
Description
XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-10099
- [Other]https://github.com/XX-net/XX-Net/commit/a68b972a84ed6e52df9f30237cf47493b9231b53
- [Other]https://github.com/XX-net/XX-Net/issues/14169
- [Other]https://github.com/XX-net/XX-Net/pull/14170
- [Other]https://www.vulncheck.com/advisories/xx-net-websocket-frame-parsing-data-corruption-via-simple-http-server-py
Related CVEs
Same CWE
- CVE-2026-50131 — Fedify is a TypeScript library for building federated server apps powered by ActivityPub (8.6 HIGH)
- CVE-2025-8873 — On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all... (7.5 HIGH)
- CVE-2019-25720 — Dräger SC Monitoring devices (SC 6002XL, SC 6802XL, SC 7000, SC 8000, SC 9000 XL) contain a denial-of-service vulnerability in all softwa... (6.5 MEDIUM)
- CVE-2021-4479 — Dräger Atlan A350 versions 1.00 up to and including 1.01 contains an improper input handling vulnerability that allows attackers to cause... (4.0 MEDIUM)
- CVE-2019-25723 — Dräger Perseus A500 software versions 2.00 through 2.02 contains an improper input handling vulnerability that allows external attackers ... (4.0 MEDIUM)