Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle.
csrftoken generates and caches one token per session and returns the same value on every call, and csrffield places that value in a hidden csrf_token input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle.
An attacker able to query it can recover the token and pass csrf_protect validation.
{
"cwe_ids": [
"CWE-204",
"CWE-352"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15747.json",
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "4.59"
},
{
"fixed": "9.48"
}
],
"source": "AFFECTED_FIELD"
},
{
"extracted_events": [
{
"introduced": "4.59"
},
{
"fixed": "9.48"
}
],
"source": "DESCRIPTION"
}
],
"cna_assigner": "CPANSec"
}