234 matches found
PT-2026-60794
Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison. The decode method compares the supplied signature to the recomputed HMAC with Perl's eq operator, which stops at the first differing byte, so the comparison time varies with the number of...
Linux Distros Unpatched Vulnerability : CVE-2026-15747
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. csrftoken generates...
CVE-2026-15747
Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. csrftoken generates and caches one token per session and returns the same value on every call, and csrffield places that value in a hidden csrftoken input...
UBUNTU-CVE-2026-15747
Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. csrftoken generates and caches one token per session and returns the same value on every call, and csrffield places that value in a hidden csrftoken input...
CVE-2026-15747 Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle
Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. csrftoken generates and caches one token per session and returns the same value on every call, and csrffield places that value in a hidden csrftoken input...
CVE-2026-15747 Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle
Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. csrftoken generates and caches one token per session and returns the same value on every call, and csrffield places that value in a hidden csrftoken input...
CVE-2026-15747
CVE-2026-15747 affects Mojolicious on Perl: versions 4.59 up to (but excluding) 9.48 expose a stable CSRF token representation to a BREACH compression oracle. _csrf_token caches a single per-session token and _csrf_field outputs it in a hidden input; when a response includes attacker-controlled i...
PT-2026-58293
Name of the Vulnerable Software and Affected Versions Mojolicious versions 4.59 through 9.47 Description The software exposes a stable representation of the session CSRF token to a BREACH compression oracle. This occurs because the csrf token function generates and caches one token per session,...
CVE-2026-9733
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time which is leaked via t...
CVE-2026-9733
CVE-2026-9733 affects Mojolicious::Plugin::Web::Auth::OAuth2 (Perl) versions up to 0.17. The insecure default state parameter arises from a SHA-1 based generator that uses epoch time (revealed via HTTP Date) and Perl rand, enabling CSRF session hijacking. A patch exists (Mojolicious-Plugin-Web-Au...
CVE-2026-9733 Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time which is leaked via t...
EUVD-2026-38421
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time which is leaked via t...
CVE-2026-9733 Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time which is leaked via t...
CVE-2026-9733
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time which is leaked via t...
PT-2026-51481
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time which is leaked via t...
CVE-2026-9692
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy...
CVE-2026-9692
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy...
CVE-2026-9692
Summary (CVE-2026-9692): Mojolicious::Sessions::Storable in Perl versions up to 0.05 generates insecure session IDs. The default generator seeds a SHA-1 hash with a mix of low-entropy sources: built-in rand, epoch time, heap address of an anonymous hash, and the process ID, making IDs predictable...
EUVD-2026-37926
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy...
CVE-2026-9692 Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy...