{"id":"CVE-2023-26488","summary":"OpenZeppelin Contracts contains Incorrect Calculation","details":"OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by `balanceOf`. The issue exclusively presents with batches of size 1. The issue has been patched in 4.8.2.","aliases":["GHSA-878m-3g6q-594q"],"modified":"2026-04-10T04:56:24.882991Z","published":"2023-03-03T21:08:34.886Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-682"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26488.json"},"references":[{"type":"WEB","url":"https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26488.json"},{"type":"ADVISORY","url":"https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-878m-3g6q-594q"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26488"},{"type":"FIX","url":"https://github.com/OpenZeppelin/openzeppelin-contracts/commit/167bf67ed3907f4a674043496019fa346cee7705"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openzeppelin/openzeppelin-contracts","events":[{"introduced":"49c0e4370d0cc50ea6090709e3835a3091e33ee2"},{"fixed":"d00acef4059807535af0bd0dd0ddf619747a044b"}]}],"versions":["v4.8.0","v4.8.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26488.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}