UBUNTU-CVE-2026-15747

Source
https://ubuntu.com/security/CVE-2026-15747
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-15747.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-15747
Upstream
Published
2026-07-14T18:17:00Z
Modified
2026-07-15T19:46:15.102348364Z
Severity
  • Ubuntu - medium
Summary
[none]
Details

Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. csrftoken generates and caches one token per session and returns the same value on every call, and csrffield places that value in a hidden csrf_token input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle. An attacker able to query it can recover the token and pass csrf_protect validation.

References

Affected packages

Ubuntu:16.04:LTS
libmojolicious-perl

Package

Name
libmojolicious-perl
Purl
pkg:deb/ubuntu/libmojolicious-perl?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*
6.15+dfsg-1
6.15+dfsg-1ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libmojolicious-perl",
            "binary_version": "6.15+dfsg-1ubuntu1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-15747.json"
Ubuntu:18.04:LTS
libmojolicious-perl

Package

Name
libmojolicious-perl
Purl
pkg:deb/ubuntu/libmojolicious-perl?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*
7.39+dfsg-1ubuntu1
7.43+dfsg-1ubuntu1
7.57+dfsg-1ubuntu1
7.59+dfsg-1ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libmojolicious-perl",
            "binary_version": "7.59+dfsg-1ubuntu1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-15747.json"
Ubuntu:20.04:LTS
libmojolicious-perl

Package

Name
libmojolicious-perl
Purl
pkg:deb/ubuntu/libmojolicious-perl?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.22+dfsg-1
8.23+dfsg-1
8.26+dfsg-1
8.27+dfsg-1
8.32+dfsg-1
8.33+dfsg-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libmojolicious-perl",
            "binary_version": "8.33+dfsg-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-15747.json"
Ubuntu:22.04:LTS
libmojolicious-perl

Package

Name
libmojolicious-perl
Purl
pkg:deb/ubuntu/libmojolicious-perl?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.71+dfsg-1
9.*
9.22+dfsg-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libmojolicious-perl",
            "binary_version": "9.22+dfsg-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-15747.json"
Ubuntu:24.04:LTS
libmojolicious-perl

Package

Name
libmojolicious-perl
Purl
pkg:deb/ubuntu/libmojolicious-perl?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*
9.33+dfsg-1
9.35+dfsg-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libmojolicious-perl",
            "binary_version": "9.35+dfsg-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-15747.json"
Ubuntu:26.04:LTS
libmojolicious-perl

Package

Name
libmojolicious-perl
Purl
pkg:deb/ubuntu/libmojolicious-perl?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*
9.39+dfsg-1
9.42+dfsg-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libmojolicious-perl",
            "binary_version": "9.42+dfsg-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-15747.json"