CVE-2026-41682 | THREATINT

Description

pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5.

PUBLISHED Reserved 2026-04-22 | Published 2026-05-08 | Updated 2026-05-08 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-195: Signed to Unsigned Conversion Error

CWE-918: Server-Side Request Forgery (SSRF)

Product status

< 1.18.5

affected

References

github.com/.../pupnp/security/advisories/GHSA-q522-6w45-4j58

github.com/...ommit/def5f9a2bc42f5b3d713e37c516fbe840ce54b7b

github.com/pupnp/pupnp/releases/tag/release-1.18.5

cve.org (CVE-2026-41682)

nvd.nist.gov (CVE-2026-41682)

Download JSON