CVE-2026-15747
Publication date 14 July 2026
Last updated 16 July 2026
Ubuntu priority
Description
Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. _csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle. An attacker able to query it can recover the token and pass csrf_protect validation.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libmojolicious-perl | 26.04 LTS resolute |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-15747
- https://lists.security.metacpan.org/cve-announce/msg/41816171/
- https://github.com/mojolicious/mojo/commit/01921fbbbbeca2d1397e082d4a647f9b84c24e27.patch
- https://metacpan.org/release/SRI/Mojolicious-9.48/changes
- http://www.openwall.com/lists/oss-security/2026/07/14/16