CVE-2026-10099
MEDIUMXX-Net V5.16.6 WebSocket Frame Parsing Data Corruption via simple_http_server.py
Title source: cnaDescription
XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations.
References (4)
Core 4
Core References
Issue Tracking issue-tracking
https://github.com/XX-net/XX-Net/issues/14169
Technical Description technical-description
https://github.com/XX-net/XX-Net/pull/14170
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/xx-net-websocket-frame-parsing-data-corruption-via-simple-http-server-py
Scores
CVSS v3
4.0
EPSS
0.0013
EPSS Percentile
2.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1286
Status
published
Products (2)
XX-net/XX-Net
< 43aec6f
XX-net/XX-Net
< 5.16.6
Published
May 29, 2026
Tracked Since
May 29, 2026