CVE-2026-43915 coturn CVE debrief

Who should care

Administrators and users of Coturn TURN and STUN Server, especially those using versions prior to 4.11.0, should be aware of this vulnerability. This includes organizations that rely on Coturn for real-time communication services, as an attacker could potentially inject malicious scripts into the web-admin interface.

Technical summary

The vulnerability exists in the web-admin HTTPS interface of Coturn versions prior to 4.11.0. An attacker can exploit this by creating a TURN allocation with a specially crafted USERNAME value. When an authenticated web-admin user views the TURN session list, the injected HTML/JavaScript will execute. The CVSS score for this vulnerability is 5.4, indicating a medium severity. The vulnerability is classified under CWE-79, which covers cross-site scripting (XSS) attacks.

Defensive priority

MEDIUM

Recommended defensive actions

• Update Coturn to version 4.11.0 or later to fix the vulnerability.
• Implement proper input validation and sanitization for USERNAME values in TURN allocations.
• Use secure authentication mechanisms for web-admin access.
• Monitor web-admin interface for suspicious activity.
• Restrict access to the web-admin interface to trusted users and networks.
• Regularly review and update Coturn configurations to ensure secure settings.

Evidence notes

The information provided is based on the CVE record and NVD details for CVE-2026-43915. The vulnerability was published on June 18, 2026, and last modified on the same day. The CVSS score and vector are based on the NVD's assessment.

Official resources