CVE-2026-10099

Name of the Vulnerable Software and Affected Versions XX-Net version 5.16.6

Description A WebSocket frame parsing issue exists in the WebSocket receive worker routine of simple http server.py. The server unconditionally reads 4 bytes as a masking key, even if the MASK bit is not set in the frame header. This causes the first 4 bytes of the payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, leading to corrupted application data. Additionally, the system fails to validate the RSV bit, opcode, and FIN fragmentation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.