WebSocket Frame Parsing Vulnerability in XX-Net by XX-Net Team
CVE-2026-10099

5.1MEDIUM

Key Information:

Vendor: Xx-net
Status: Xx-net
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-10099?

The XX-Net V5.16.6 version contains a vulnerability in the WebSocket_receive_worker routine of simple_http_server.py. This issue arises when the server processes WebSocket frames without validating the MASK bit. As a result, it reads 4 bytes as a masking key, regardless of whether the MASK bit is set, which leads to the incorrect decoding of the payload. This flaw can allow attackers to send unmasked WebSocket frames, causing data corruption when the first 4 bytes are incorrectly treated as a mask, leading to potential exploitation and degradation of application integrity.

Affected Version(s)

XX-Net 0 <= 5.16.6

XX-Net 0 <= 43aec6f

References

https://github.com/XX-net/XX-Net/issues/14169

issue-tracking

https://github.com/XX-net/XX-Net/pull/14170

technical-description

https://github.com/XX-net/XX-Net/commit/a68b972a84ed6e52d...

patch

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 29, 2026

Credit

YU SUN

CVE-2026-10099 Data

JSON

Xx-net

What is CVE-2026-10099?

Affected Version(s)

References

CVSS V4

Timeline

Credit