Lucene search
+L

234 matches found

Positive Technologies
Positive Technologies
added 23 hours ago4 views

PT-2026-60794

Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison. The decode method compares the supplied signature to the recomputed HMAC with Perl's eq operator, which stops at the first differing byte, so the comparison time varies with the number of...

5.3AI score
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2 days ago7 views

Linux Distros Unpatched Vulnerability : CVE-2026-15747

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. csrftoken generates...

9.1CVSS6.1AI score0.00248EPSS
Exploits0References3
NVD
NVD
added 3 days ago3 views

CVE-2026-15747

Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. csrftoken generates and caches one token per session and returns the same value on every call, and csrffield places that value in a hidden csrftoken input...

9.1CVSS0.00248EPSS
Exploits0References3
OSV
OSV
added 3 days ago4 views

UBUNTU-CVE-2026-15747

Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. csrftoken generates and caches one token per session and returns the same value on every call, and csrffield places that value in a hidden csrftoken input...

9.1CVSS6.1AI score0.00248EPSS
Exploits0References6
OSV
OSV
added 3 days ago4 views

CVE-2026-15747 Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle

Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. csrftoken generates and caches one token per session and returns the same value on every call, and csrffield places that value in a hidden csrftoken input...

9.1CVSS6.1AI score0.00248EPSS
Exploits0References7
Cvelist
Cvelist
added 3 days ago24 views

CVE-2026-15747 Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle

Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. csrftoken generates and caches one token per session and returns the same value on every call, and csrffield places that value in a hidden csrftoken input...

0.00248EPSS
Exploits0References2
CVE
CVE
added 3 days ago8 views

CVE-2026-15747

CVE-2026-15747 affects Mojolicious on Perl: versions 4.59 up to (but excluding) 9.48 expose a stable CSRF token representation to a BREACH compression oracle. _csrf_token caches a single per-session token and _csrf_field outputs it in a hidden input; when a response includes attacker-controlled i...

9.1CVSS6.1AI score0.00248EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago4 views

PT-2026-58293

Name of the Vulnerable Software and Affected Versions Mojolicious versions 4.59 through 9.47 Description The software exposes a stable representation of the session CSRF token to a BREACH compression oracle. This occurs because the csrf token function generates and caches one token per session,...

9.1CVSS6.1AI score0.00248EPSS
Exploits0References10
NVD
NVD
added 2026/06/23 8:16 a.m.15 views

CVE-2026-9733

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time which is leaked via t...

9.1CVSS0.00339EPSS
Exploits0References4
CVE
CVE
added 2026/06/23 7:5 a.m.16 views

CVE-2026-9733

CVE-2026-9733 affects Mojolicious::Plugin::Web::Auth::OAuth2 (Perl) versions up to 0.17. The insecure default state parameter arises from a SHA-1 based generator that uses epoch time (revealed via HTTP Date) and Perl rand, enabling CSRF session hijacking. A patch exists (Mojolicious-Plugin-Web-Au...

9.1CVSS5.4AI score0.00339EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/23 7:5 a.m.41 views

CVE-2026-9733 Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time which is leaked via t...

0.00339EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/23 7:5 a.m.9 views

EUVD-2026-38421

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time which is leaked via t...

9.1CVSS5.4AI score0.00339EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 7:5 a.m.4 views

CVE-2026-9733 Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time which is leaked via t...

9.1CVSS5.3AI score0.00339EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/06/23 7:5 a.m.5 views

CVE-2026-9733

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time which is leaked via t...

5.4AI score0.00339EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.20 views

PT-2026-51481

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time which is leaked via t...

9.1CVSS5.4AI score0.00339EPSS
Exploits0References6
NVD
NVD
added 2026/06/18 7:16 p.m.13 views

CVE-2026-9692

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy...

5.3CVSS0.00274EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/18 5:53 p.m.9 views

CVE-2026-9692

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy...

7.3CVSS5.2AI score0.00329EPSS
Exploits0References5
CVE
CVE
added 2026/06/18 5:53 p.m.22 views

CVE-2026-9692

Summary (CVE-2026-9692): Mojolicious::Sessions::Storable in Perl versions up to 0.05 generates insecure session IDs. The default generator seeds a SHA-1 hash with a mix of low-entropy sources: built-in rand, epoch time, heap address of an anonymous hash, and the process ID, making IDs predictable...

5.3CVSS5.3AI score0.00274EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/18 5:53 p.m.13 views

EUVD-2026-37926

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy...

7.3CVSS5.2AI score0.00329EPSS
Exploits0References4
OSV
OSV
added 2026/06/18 5:53 p.m.4 views

CVE-2026-9692 Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy...

5.3CVSS6AI score0.00329EPSS
Exploits0References8
Rows per page
Query Builder