Mojic CVE-2026-41244

EUVD-2026-25610 MEDIUM

Observable Timing Discrepancy (CWE-208)

2026-04-24 GitHub_M

Authentication Bypass

4.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

Apr 24, 2026 - 21:02 EUVD

Analysis Generated

Apr 24, 2026 - 20:16 vuln.today

DescriptionNVD

Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack. This vulnerability is fixed in 2.1.4.

AnalysisAI

Mojic prior to version 2.1.4 allows attackers to bypass HMAC-SHA256 file integrity verification through a timing attack against the CipherEngine's comparison function. The vulnerability stems from use of a standard equality operator (!=== in JavaScript) instead of constant-time comparison during decryption, enabling an attacker with local file access to forge or tamper with emoji-encoded files. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41244 vulnerability details – vuln.today

Back

Mojic CVE-2026-41244

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code