CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53448

highCVSS 7.2covered by 1 sourcefirst seen 2026-07-10
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.12.0, the coturn HTTPS admin panel passes HTTP query parameters directly into SQL queries via snprintf string interpolation without sanitization. The is_secure_string filter that protects the STUN protocol path is not applied to the admin panel's delete-user, delete-secret, and delete-IP operations, so an authenticated admin can inject arbitrary SQL through the du, ds, and dip parameters, gaining full database control and potentially OS-level access via PostgreSQL COPY TO PROGRAM. This issue is fixed in version 4.12.0.

⚡ Watch CVE-2026-53448

Get an email if CVE-2026-53448 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-53448

CVE.org record

Embed the live status

CVE-2026-53448 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53448 status](https://www.csirts.com/badge/CVE-2026-53448)](https://www.csirts.com/cve/CVE-2026-53448)