CVE-2026-10099

216.73.217.22

· Published 29/05/2026 16:16 · Modified 29/05/2026 16:16

Labels: CVE-2026-10099 2026-05-29 CVE-2026-10099 CWE-1286 [email protected]

Essential information

Published: 29/05/2026 16:16
Modified: 29/05/2026 16:16
Author: —
Creator: —
CVSS: 5.1 MEDIUM (v3) 5.1 MEDIUM (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
xx-net / xx-net	`cpe:2.3:a:xx-net:xx-net:5.16.6:::::::*`