SQL Injection in Coturn
CVE-2026-53448
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.12.0, the coturn HTTPS admin panel passes HTTP query parameters directly into SQL queries via snprintf string interpolation without sanitization. The is_secure…
Vulnerability class: SQL Injection
CVSS v3 metric
CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Coturn — versions < 4.12.0
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-53448?
- CVE-2026-53448 is a high-severity vulnerability in Coturn, classified under SQL Injection. CVSS score: 7.2/10. Published 2026-07-10.
- How severe is CVE-2026-53448?
- High severity. CVSS v3 base score is 7.2 out of 10.