CVE-2026-43915

Name of the Vulnerable Software and Affected Versions Coturn versions prior to 4.11.0

Description A stored cross-site scripting (XSS) issue exists in the web-admin HTTPS interface. An attacker can inject HTML or JavaScript by creating a TURN allocation with a crafted USERNAME value. This script executes when an authenticated web-admin user views the TURN session list. In configurations using anonymous TURN access via the --no-auth flag, this can be exploited without credentials. In authenticated deployments, the attacker requires valid TURN credentials or control over a provisioned username.

Recommendations Update to version 4.11.0.