{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-10099","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2026-05-29T15:03:52.130Z","datePublished":"2026-05-29T15:58:24.062Z","dateUpdated":"2026-05-29T15:58:24.062Z"},"containers":{"cna":{"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2026-05-29T15:58:24.062Z"},"title":"XX-Net V5.16.6 WebSocket Frame Parsing Data Corruption via simple_http_server.py","datePublic":"2026-05-29T15:55:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-1286","description":"CWE-1286 – Improper Validation of Syntactic Correctness of Input","type":"CWE"}]}],"affected":[{"vendor":"XX-net","product":"XX-Net","versions":[{"status":"affected","version":"0","lessThanOrEqual":"5.16.6","versionType":"git"},{"status":"affected","version":"0","lessThanOrEqual":"43aec6f","versionType":"git"}],"defaultStatus":"unknown"}],"descriptions":[{"lang":"en","value":"XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations.</p>"}]}],"references":[{"url":"https://github.com/XX-net/XX-Net/issues/14169","tags":["issue-tracking"]},{"url":"https://github.com/XX-net/XX-Net/pull/14170","tags":["technical-description"]},{"url":"https://github.com/XX-net/XX-Net/commit/a68b972a84ed6e52df9f30237cf47493b9231b53","tags":["patch"]},{"url":"https://www.vulncheck.com/advisories/xx-net-websocket-frame-parsing-data-corruption-via-simple-http-server-py","tags":["third-party-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseSeverity":"MEDIUM","baseScore":4,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}},{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"MEDIUM","baseScore":5.1,"vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}}],"credits":[{"lang":"en","value":"YU SUN","type":"finder"}],"source":{"discovery":"EXTERNAL"}}}}