Port Confusion Vulnerability in pupnp SDK for UPnP Device Applications
CVE-2026-41682

6.9MEDIUM

Key Information:

Vendor

Pupnp

Status
Pupnp
Vendor
CVE Published:
8 May 2026

What is CVE-2026-41682?

The pupnp SDK, which facilitates the development of UPnP device and control point applications, is susceptible to a port confusion vulnerability due to port truncation when using the atoi() cast in the parse_uri() function. This flaw may lead to incorrect processing of network communications, allowing attackers to divert control flows or disrupt application behavior. Users are urged to upgrade to version 1.18.5 or later, where this issue has been addressed. For further information and mitigation details, refer to the official security advisories.

Affected Version(s)

pupnp < 1.18.5

References

https://github.com/pupnp/pupnp/security/advisories/GHSA-q...
x_refsource_CONFIRM
https://github.com/pupnp/pupnp/commit/def5f9a2bc42f5b3d71...
x_refsource_MISC
https://github.com/pupnp/pupnp/releases/tag/release-1.18.5
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.