๐Ÿ” CVE Alert

CVE-2026-15747

CRITICAL 9.1

Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle

CVSS Score
9.1
EPSS Score
0.2%
EPSS Percentile
5th

Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. _csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle. An attacker able to query it can recover the token and pass csrf_protect validation.

CWE CWE-204 CWE-352
Vendor sri
Product mojolicious
Published Jul 14, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for sri mojolicious

Be the first to know when new critical vulnerabilities affecting sri mojolicious are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

SRI / Mojolicious
4.59 < 9.48

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/mojolicious/mojo/commit/01921fbbbbeca2d1397e082d4a647f9b84c24e27.patch metacpan.org: https://metacpan.org/release/SRI/Mojolicious-9.48/changes openwall.com: http://www.openwall.com/lists/oss-security/2026/07/14/16