{"id":"CVE-2026-15747","summary":"Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle","details":"Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle.\n\n_csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle.\n\nAn attacker able to query it can recover the token and pass csrf_protect validation.","modified":"2026-07-18T03:46:13.432045313Z","published":"2026-07-14T17:07:32.593Z","related":["openSUSE-SU-2026:11282-1"],"database_specific":{"cna_assigner":"CPANSec","cwe_ids":["CWE-204","CWE-352"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15747.json"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/07/14/16"},{"type":"WEB","url":"https://cpan.org/modules"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15747.json"},{"type":"ADVISORY","url":"https://metacpan.org/release/SRI/Mojolicious-9.48/changes"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-15747"},{"type":"FIX","url":"https://github.com/mojolicious/mojo/commit/01921fbbbbeca2d1397e082d4a647f9b84c24e27.patch"},{"type":"PACKAGE","url":"https://github.com/mojolicious/mojo"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mojolicious/mojo","events":[{"introduced":"9ca2244a5bc2bac45e8c61db5adffcb65fe0aa0f"},{"fixed":"643b68560eb15f7a06ba4265d59e5a592c6fc332"},{"fixed":"01921fbbbbeca2d1397e082d4a647f9b84c24e27"}],"database_specific":{"extracted_events":[{"introduced":"4.59"},{"fixed":"9.48"}],"source":["DESCRIPTION","REFERENCES"]}}],"versions":["v9.47","v9.46","v9.45","v9.44","v9.43","v9.42","v9.41","v9.40","v9.39","v9.38","v9.37","v9.36","v9.35","v9.34","v9.33","v9.32","v9.31","v9.30","v9.29","v9.28","v9.27","v9.26","v9.25","v9.24","v9.23","v9.22","v9.21","v9.20","v9.19","v9.18","v9.17","v9.16","v9.15","v9.14","v9.13","v9.12","v9.11","v9.10","v9.09","v9.08","v9.07","v9.03","v9.02","v9.01","v9.0","v8.73","v8.72","v8.71","v8.70","v8.69","v8.68","v8.67","v8.66","v8.65","v8.64","v8.63","v8.62","v8.61","v8.60","v8.59","v8.58","v8.57","v8.56","v8.55","v8.54","v8.53","v8.52","v8.51","v8.50","v8.42","v8.41","v8.40","v8.39","v8.38","v8.37","v8.36","v8.35","v8.34","v8.33","v8.32","v8.31","v8.30","v8.29","v8.28","v8.27","v8.26","v8.25","v8.24","v8.23","v8.22","v8.21","v8.20","v8.19","v8.18","v8.17","v8.16","v8.15","v8.14","v8.13","v8.12","v8.11","v8.10","v8.09","v8.08","v8.07","v8.06","v8.05","v8.04","v8.03","v8.02","v8.01","v8.0","v7.94","v7.93","v7.92","v7.91","v7.90","v7.89","v7.88","v7.87","v7.86","v7.85","v7.84","v7.83","v7.82","v7.81","v7.80","v7.79","v7.78","v7.77","v7.76","v7.75","v7.74","v7.73","v7.72","v7.71","v7.70","v7.69","v7.68","v7.67","v7.66","v7.65","v7.64","v7.63","v7.62","v7.61","v7.60","v7.59","v7.58","v7.57","v7.56","v7.55","v7.54","v7.53","v7.52","v7.51","v7.50","v7.49","v7.48","v7.47","v7.46","v7.45","v7.44","v7.43","v7.42","v7.41","v7.40","v7.39","v7.38","v7.37","v7.36","v7.35","v7.34","v7.33","v7.32","v7.31","v7.30","v7.29","v7.28","v7.27","v7.26","v7.25","v7.24","v7.23","v7.22","v7.21","v7.20","v7.19","v7.18","v7.17","v7.16","v7.15","v7.14","v7.13","v7.12","v7.11","v7.10","v7.09","v7.08","v7.07","v7.06","v7.05","v7.04","v7.03","v7.02","v7.01","v7.0","v6.66","v6.65","v6.64","v6.63","v6.62","v6.61","v6.60","v6.59","v6.58","v6.57","v6.56","v6.55","v6.54","v6.53","v6.52","v6.51","v6.50","v6.49","v6.48","v6.47","v6.46","v6.45","v6.44","v6.43","v6.42","v6.41","v6.40","v6.39","v6.38","v6.37","v6.36","v6.35","v6.34","v6.33","v6.32","v6.31","v6.30","v6.29","v6.28","v6.27","v6.26","v6.25","v6.24","v6.23","v6.22","v6.21","v6.20","v6.19","v6.18","v6.17","v6.16","v6.15","v6.14","v6.13","v6.12","v6.11","v6.10","v6.09","v6.08","v6.07","v6.06","v6.05","v6.04","v6.03","v6.02","v6.01","v6.0","v5.82","v5.81","v5.80","v5.79","v5.78","v5.77","v5.76","v5.75","v5.74","v5.73","v5.72","v5.71","v5.70","v5.69","v5.68","v5.67","v5.66","v5.65","v5.64","v5.63","v5.62","v5.61","v5.60","v5.59","v5.58","v5.57","v5.56","v5.55","v5.54","v5.53","v5.52","v5.51","v5.50","v5.49","v5.48","v5.47","v5.46","v5.45","v5.44","v5.43","v5.42","v5.41","v5.40","v5.39","v5.38","v5.37","v5.36","v5.35","v5.34","v5.33","v5.32","v5.31","v5.30","v5.29","v5.28","v5.27","v5.26","v5.25","v5.24","v5.23","v5.22","v5.21","v5.20","v5.19","v5.18","v5.17","v5.16","v5.15","v5.14","v5.13","v5.12","v5.11","v5.10","v5.09","v5.08","v5.07","v5.06","v5.05","v5.04","v5.03","v5.02","v5.01","v5.0","v4.99","v4.98","v4.97","v4.96","v4.95","v4.94","v4.93","v4.92","v4.91","v4.90","v4.89","v4.88","v4.87","v4.86","v4.85","v4.84","v4.83","v4.82","v4.81","v4.80","v4.79","v4.78","v4.77","v4.76","v4.75","v4.74","v4.73","v4.72","v4.71","v4.70","v4.69","v4.68","v4.67","v4.66","v4.65","v4.64","v4.63","v4.62","v4.61","v4.60","v4.59"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15747.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}