Home

Description

XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations.

PUBLISHED Reserved 2026-05-29 | Published 2026-05-29 | Updated 2026-05-29 | Assigner VulnCheck




MEDIUM: 4.0CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

MEDIUM: 5.1CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-1286 – Improper Validation of Syntactic Correctness of Input

Product status

Default status
unknown

Any version
affected

Any version
affected

Credits

YU SUN finder

References

github.com/XX-net/XX-Net/issues/14169 issue-tracking

github.com/XX-net/XX-Net/pull/14170 technical-description

github.com/...ommit/a68b972a84ed6e52df9f30237cf47493b9231b53 patch

www.vulncheck.com/...ta-corruption-via-simple-http-server-py third-party-advisory

cve.org (CVE-2026-10099)

nvd.nist.gov (CVE-2026-10099)

Download JSON