CVE Catalog

CVE-2026-9733

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

8th percentile — higher than 8% of all known CVEs

Summary

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, it defaults to using a SHA-1 hash of predictable sources, allowing CSRF attacks.

Risk Assessment

A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF), potentially leading to serious security breaches.

Recommendation

It is recommended that users specify their own state generator in the constructor to avoid using predictable sources for state generation.

Original NVD description (English source)

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time (which is leaked via the HTTP Date header) and a call to Perl's built-in rand function. A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS