PatchSiren

XX-net CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM XX-net CVE published 2026-05-29

CVE-2026-10099

A WebSocket frame parsing vulnerability in XX-Net V5.16.6 allows attackers to cause data corruption by sending unmasked WebSocket frames. The `WebSocket_receive_worker` routine in `simple_http_server.py` unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header. This causes the first 4 bytes of payload to be consumed as a mask key, with remaining payload [truncated]