CVE-2026-13491

LOW 3.7

78 xiaozhi-esp32 MQTT Goodbye mqtt_protocol.cc GetInstance denial of service

CVSS Score

3.7

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability was detected in 78 xiaozhi-esp32 up to 2.2.6. This vulnerability affects the function Application::GetInstance of the file main/protocols/mqtt_protocol.cc of the component MQTT Goodbye Handler. Performing a manipulation of the argument session_id results in denial of service. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit is now public and may be used. The patch is named e182471f8c5a22434346bd98da34d3b66c8c8b3e. It is recommended to apply a patch to fix this issue.

CWE	CWE-404
Vendor	78
Product	xiaozhi-esp32
Published	Jun 28, 2026

Stay Ahead of the Next One

Get instant alerts for 78 xiaozhi-esp32

Be the first to know when new low vulnerabilities affecting 78 xiaozhi-esp32 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

78 / xiaozhi-esp32

2.2.0 2.2.1 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/374488 vuldb.com: https://vuldb.com/vuln/374488/cti vuldb.com: https://vuldb.com/cve/CVE-2026-13491 vuldb.com: https://vuldb.com/submit/838439 github.com: https://github.com/78/xiaozhi-esp32/issues/2022 github.com: https://github.com/78/xiaozhi-esp32/pull/2023 github.com: https://github.com/78/xiaozhi-esp32/commit/e182471f8c5a22434346bd98da34d3b66c8c8b3e github.com: https://github.com/78/xiaozhi-esp32/

Credits

🔍 dem0000 (VulDB User)