CVE-2026-10099 MEDIUM

CVE-2026-10099: XX-Net V5.16.6 WebSocket Frame Parsing Data Corruption via simple_http_server.py

Vendor Xx-Net
Product XX-Net
Weakness CWE-1286
Published May 29, 2026
Last update June 1, 2026

CVSS base score

4.0/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations.

Key dates

02Disclosure timeline

May 29, 2026 CVE published
June 1, 2026 Record updated