Skip to main content

Mojolicious CVE-2026-15747

| EUVDEUVD-2026-44067 CRITICAL
Observable Response Discrepancy (CWE-204)
2026-07-14 CPANSec GHSA-6cg9-7rr8-cvj2
9.1
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
5.9 MEDIUM

BREACH needs compression plus reflected input and a traffic-size oracle over many victim-driven requests (AC:H, UI:R); impact is CSRF bypass (I:H) with only token disclosure (C:L).

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Jul 15, 2026 - 19:31 vuln.today
Analysis Generated
Jul 15, 2026 - 19:31 vuln.today
CVSS changed
Jul 15, 2026 - 17:22 NVD
9.1 (CRITICAL)
CVE Published
Jul 14, 2026 - 17:07 cve.org
CRITICAL 9.1
CVE Published
Jul 14, 2026 - 17:07 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle.

_csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden csrf_token input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle.

An attacker able to query it can recover the token and pass csrf_protect validation.

AnalysisAI

CSRF token disclosure in the Perl Mojolicious web framework (versions 4.59 up to but not including 9.48) allows a network attacker to recover a victim's session CSRF token via a BREACH compression side channel and then bypass csrf_protect validation. Because _csrf_token cached and returned one stable per-session value that _csrf_field embedded in every response, an attacker who could inject reflected input into a gzip-compressed page could iteratively guess the token by observing compressed response lengths. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain traffic-size observation position
Delivery
Induce victim requests reflecting chosen input
Exploit
Compare gzip-compressed response lengths
Execution
Recover static CSRF token byte-by-byte
Persist
Submit forged request passing csrf_protect
Impact
Perform unauthorized state change

Vulnerability AssessmentAI

Exploitation Exploitation requires all of: (1) the target Mojolicious app uses the built-in CSRF helpers so that the same static per-session token is emitted repeatedly (pre-9.48 behavior); (2) responses carrying the csrf_token field are gzip/deflate-compressed; (3) the same response reflects attacker-controlled input adjacent to the token; and (4) the attacker can observe compressed response lengths and induce many adaptive requests from the victim's authenticated session (an on-path/traffic-observation capability). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and warrant nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can observe a victim's TLS-encrypted traffic sizes (e.g., shared network or on-path) lures the victim's authenticated browser into repeatedly requesting a compressed page that both reflects an attacker-chosen string and includes the hidden csrf_token field. By adaptively varying the injected string and watching the compressed response shrink when a guess matches, the attacker recovers the full static token and submits a forged state-changing request that passes csrf_protect. …
Remediation Vendor-released patch: 9.48 - upgrade Mojolicious to 9.48 or later, where CSRF tokens are masked with a fresh random value on every request (commit https://github.com/mojolicious/mojo/commit/01921fbbbbeca2d1397e082d4a647f9b84c24e27.patch). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all systems running Mojolicious and identify instances in versions 4.59 through 9.47. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy