CVE-2026-9733
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, it defaults to using a SHA-1 hash of predictable sources, allowing CSRF attacks.
Risk Assessment
A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF), potentially leading to serious security breaches.
Recommendation
It is recommended that users specify their own state generator in the constructor to avoid using predictable sources for state generation.
Original NVD description (English source)
Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time (which is leaked via the HTTP Date header) and a call to Perl's built-in rand function. A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF).

