Description
pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5.
Published: 2026-05-08
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The pupnp SDK contains a flaw in its parse_uri() function where the port component of a URI is converted using atoi() and then cast to a short integer, causing truncation for large port numbers. This signed/unsigned conversion error allows an attacker to supply a crafted URI that resolves to an unintended port, effectively enabling server‑side request forgery (SSRF). The vulnerability could allow the application to contact internal services or extract sensitive data that would otherwise be inaccessible, potentially compromising confidentiality or enabling further exploitation.

Affected Systems

All releases of the pupnp SDK older than version 1.18.5 are affected. The library is used to build UPnP device and control point applications, so any product incorporating these older releases is at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate to high severity. EPSS is not available, and the flaw is not listed in the CISA KEV catalog, suggesting no widely publicised exploits are current. Exploitation requires that the attacker can influence the URI passed to parse_uri(), which is typically done via application input. If the SDK is used in an environment where untrusted data can be fed into it, the attacker could trigger SSRF against internal targets. The absence of a published exploit does not preclude future use, so the risk remains significant for exposed applications.

Generated by OpenCVE AI on May 9, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the pupnp SDK to version 1.18.5 or later, which removes the truncation bug in parse_uri().
  • During the upgrade period, validate or sanitize all URIs before passing them to parse_uri(); reject URIs that contain non‑numeric ports or ports that exceed the valid range.
  • Further reduce risk by restricting the network reach of the application using firewall or network segmentation so that even if SSRF occurs, it cannot reach critical internal resources.

Generated by OpenCVE AI on May 9, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 23:15:00 +0000

Type Values Removed Values Added
Description pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5.
Title pupnp: Port truncation via atoi() cast in parse_uri() allows SSRF port confusion
Weaknesses CWE-195
CWE-918
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T22:47:37.494Z

Reserved: 2026-04-22T03:53:24.406Z

Link: CVE-2026-41682

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T23:16:35.737

Modified: 2026-05-08T23:16:35.737

Link: CVE-2026-41682

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:30:21Z

Weaknesses