Common Weakness Enumeration
CWE-1289
AllowedImproper Validation of Unsafe Equivalence in Input
Abstraction: Base · Status: Incomplete
The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.
52 vulnerabilities reference this CWE, most recent first.
CVE-2026-50090 (GCVE-0-2026-50090)
Vulnerability from cvelistv5 – Published: 2026-06-12 15:02 – Updated: 2026-06-12 15:49
VLAI
EPSS
VEX
Title
Aqara OAuth redirect_uri validation bypass
Summary
The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical).
Severity
9.3 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1289 - Improper validation of unsafe equivalence in input
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/xn0tsa/theres-no-place-like-home | technical-description |
| https://www.runzero.com/advisories/aqara-oauth-re… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Aqara | Cloud OAuth Authorization Endpoint |
Affected:
2026-04-20 , < 0
(date)
|
Date Public
2026-06-12 15:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50090",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:49:22.517830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:49:43.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cloud OAuth Authorization Endpoint",
"vendor": "Aqara",
"versions": [
{
"lessThan": "0",
"status": "affected",
"version": "2026-04-20",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sammy Azdoufal"
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-06-12T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of \"CWE-1289: Improper Validation of Unsafe Equivalence in Input\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical)."
}
],
"value": "The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of \"CWE-1289: Improper Validation of Unsafe Equivalence in Input\" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289 Improper validation of unsafe equivalence in input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:02:13.840Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/aqara-oauth-redirect-validation-bypass-cve-2026-50090"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Aqara OAuth redirect_uri validation bypass",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-50090",
"datePublished": "2026-06-12T15:02:13.840Z",
"dateReserved": "2026-06-03T14:25:34.982Z",
"dateUpdated": "2026-06-12T15:49:43.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49942 (GCVE-0-2026-49942)
Vulnerability from cvelistv5 – Published: 2026-06-04 16:07 – Updated: 2026-06-04 17:45
VLAI
EPSS
VEX
Title
Net::CIDR::Set versions through 0.20 for Perl did not validate network masks
Summary
Net::CIDR::Set versions through 0.20 for Perl did not validate network masks.
The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks.
Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1289 - Improper Validation of Unsafe Equivalence in Input
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://metacpan.org/release/RRWO/Net-CIDR-Set-0.… | release-notes |
| https://nvd.nist.gov/vuln/detail/CVE-2025-40911 | related |
| https://nvd.nist.gov/vuln/detail/CVE-2026-45191 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| RRWO | Net::CIDR::Set |
Affected:
0 , ≤ 0.20
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T17:42:08.928858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T17:45:48.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-CIDR-Set",
"product": "Net::CIDR::Set",
"programRoutines": [
{
"name": "Net::CIDR::Set::IPv4::_encode"
},
{
"name": "Net::CIDR::Set::IPv6::_encode"
}
],
"repo": "https://github.com/robrwo/perl-Net-CIDR-Set",
"vendor": "RRWO",
"versions": [
{
"lessThanOrEqual": "0.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::CIDR::Set versions through 0.20 for Perl did not validate network masks.\n\nThe mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks.\n\nLeading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289 Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T16:07:42.179Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes"
},
{
"tags": [
"related"
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40911"
},
{
"tags": [
"related"
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45191"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 0.21."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-13T00:00:00.000Z",
"value": "Issue reported to CPANSec"
},
{
"lang": "en",
"time": "2026-06-02T00:00:00.000Z",
"value": "Net::CIDR::Set version 0.21 released with fix"
}
],
"title": "Net::CIDR::Set versions through 0.20 for Perl did not validate network masks",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-49942",
"datePublished": "2026-06-04T16:07:42.179Z",
"dateReserved": "2026-06-02T16:06:23.069Z",
"dateUpdated": "2026-06-04T17:45:48.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49940 (GCVE-0-2026-49940)
Vulnerability from cvelistv5 – Published: 2026-06-04 16:07 – Updated: 2026-06-04 17:36
VLAI
EPSS
VEX
Title
Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks
Summary
Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks.
Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1289 - Improper Validation of Unsafe Equivalence in Input
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://metacpan.org/release/RRWO/Net-CIDR-Set-0.… | release-notes |
| https://nvd.nist.gov/vuln/detail/CVE-2025-40911 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| RRWO | Net::CIDR::Set |
Affected:
0 , ≤ 0.20
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T17:33:44.242109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T17:36:19.084Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-CIDR-Set",
"product": "Net::CIDR::Set",
"programRoutines": [
{
"name": "Net::CIDR::Set::IPv4::_pack"
},
{
"name": "Net::CIDR::Set::IPv4::_encode"
},
{
"name": "Net::CIDR::Set::IPv6::_pack"
},
{
"name": "Net::CIDR::Set::IPv6::_pack_ipv4"
}
],
"repo": "https://github.com/robrwo/perl-Net-CIDR-Set",
"vendor": "RRWO",
"versions": [
{
"lessThanOrEqual": "0.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks.\n\nUnicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289 Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T16:07:01.276Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes"
},
{
"tags": [
"related"
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40911"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 0.21."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-13T00:00:00.000Z",
"value": "Issue reported to CPANSec"
},
{
"lang": "en",
"time": "2026-06-02T00:00:00.000Z",
"value": "Net::CIDR::Set version 0.21 released with fix"
}
],
"title": "Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-49940",
"datePublished": "2026-06-04T16:07:01.276Z",
"dateReserved": "2026-06-02T16:06:23.068Z",
"dateUpdated": "2026-06-04T17:36:19.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47674 (GCVE-0-2026-47674)
Vulnerability from cvelistv5 – Published: 2026-05-28 15:29 – Updated: 2026-06-02 18:15
VLAI
EPSS
VEX
Title
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
Summary
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses — do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/honojs/hono/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47674",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T18:14:51.645201Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T18:15:02.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hono",
"vendor": "honojs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.12.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule \u2014 such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses \u2014 do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-185",
"description": "CWE-185: Incorrect Regular Expression",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:29:08.525Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/honojs/hono/security/advisories/GHSA-xrhx-7g5j-rcj5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/honojs/hono/security/advisories/GHSA-xrhx-7g5j-rcj5"
}
],
"source": {
"advisory": "GHSA-xrhx-7g5j-rcj5",
"discovery": "UNKNOWN"
},
"title": "Hono: IP Restriction bypasses static deny rules for non-canonical IPv6"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47674",
"datePublished": "2026-05-28T15:29:08.525Z",
"dateReserved": "2026-05-19T21:10:38.798Z",
"dateUpdated": "2026-06-02T18:15:02.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46644 (GCVE-0-2026-46644)
Vulnerability from cvelistv5 – Published: 2026-07-14 20:48 – Updated: 2026-07-14 20:48
VLAI
EPSS
VEX
Title
symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence
Summary
Symfony Polyfill backports PHP features and provides compatibility layers for extensions and functions. From 1.17.1 until 1.38.1, symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload is empty or decodes to ASCII-only code points because Idn::process() does not enforce the UTS #46 revision 33 requirement that decoded ACE labels contain at least one non-ASCII code point. Originally unequal domain names can be regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing, and server-side request forgery in applications using the polyfill to canonicalise or compare hostnames. This issue is fixed in version 1.38.1.
Severity
CWE
- CWE-1289 - Improper Validation of Unsafe Equivalence in Input
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/symfony/polyfill/security/advi… | x_refsource_CONFIRM |
| https://github.com/symfony/polyfill/commit/1be936… | x_refsource_MISC |
| https://github.com/symfony/polyfill/releases/tag/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| symfony | polyfill |
Affected:
>= 1.17.1, < 1.38.1
|
|
| symfony | polyfill-intl-idn |
Affected:
>= 1.17.1, < 1.38.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "polyfill",
"vendor": "symfony",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.17.1, \u003c 1.38.1"
}
]
},
{
"product": "polyfill-intl-idn",
"vendor": "symfony",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.17.1, \u003c 1.38.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Symfony Polyfill backports PHP features and provides compatibility layers for extensions and functions. From 1.17.1 until 1.38.1, symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload is empty or decodes to ASCII-only code points because Idn::process() does not enforce the UTS #46 revision 33 requirement that decoded ACE labels contain at least one non-ASCII code point. Originally unequal domain names can be regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing, and server-side request forgery in applications using the polyfill to canonicalise or compare hostnames. This issue is fixed in version 1.38.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T20:48:31.771Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/symfony/polyfill/security/advisories/GHSA-2xf4-cg6j-vhgq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/symfony/polyfill/security/advisories/GHSA-2xf4-cg6j-vhgq"
},
{
"name": "https://github.com/symfony/polyfill/commit/1be936e2491ccebe152bd736dfc91eb1422c8bec",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/polyfill/commit/1be936e2491ccebe152bd736dfc91eb1422c8bec"
},
{
"name": "https://github.com/symfony/polyfill/releases/tag/v1.38.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/symfony/polyfill/releases/tag/v1.38.1"
}
],
"source": {
"advisory": "GHSA-2xf4-cg6j-vhgq",
"discovery": "UNKNOWN"
},
"title": "symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46644",
"datePublished": "2026-07-14T20:48:31.771Z",
"dateReserved": "2026-05-15T20:11:54.584Z",
"dateUpdated": "2026-07-14T20:48:31.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45191 (GCVE-0-2026-45191)
Vulnerability from cvelistv5 – Published: 2026-05-10 20:15 – Updated: 2026-05-11 16:37
VLAI
EPSS
VEX
Title
Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass
Summary
Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass.
Mask forms like "/00" and "/01" pass validation and parse to the same prefix as their unpadded value.
See also CVE-2026-45190.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1289 - Improper Validation of Unsafe Equivalence in Input
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/stigtsp/Net-CIDR-Lite/commit/2… | patch |
| https://metacpan.org/release/STIGTSP/Net-CIDR-Lit… | release-notes |
| https://www.cve.org/CVERecord?id=CVE-2026-45190 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| STIGTSP | Net::CIDR::Lite |
Affected:
0 , < 0.24
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45191",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T16:37:44.711895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:37:48.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-CIDR-Lite",
"product": "Net::CIDR::Lite",
"programFiles": [
"Lite.pm"
],
"programRoutines": [
{
"name": "Net::CIDR::Lite::add"
}
],
"repo": "https://github.com/stigtsp/Net-CIDR-Lite",
"vendor": "STIGTSP",
"versions": [
{
"lessThan": "0.24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass.\n\nMask forms like \"/00\" and \"/01\" pass validation and parse to the same prefix as their unpadded value.\n\nSee also CVE-2026-45190."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289 Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T20:15:53.897Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/stigtsp/Net-CIDR-Lite/commit/24e2c439ec405e5256024b9acefd4f7008c5ed0c.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45190"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 0.24 or newer, or apply the patch provided."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-10T00:00:00.000Z",
"value": "Vulnerability found"
},
{
"lang": "en",
"time": "2026-05-10T00:00:00.000Z",
"value": "Net-CIDR-Lite version 0.24 released"
}
],
"title": "Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-45191",
"datePublished": "2026-05-10T20:15:53.897Z",
"dateReserved": "2026-05-10T16:36:05.708Z",
"dateUpdated": "2026-05-11T16:37:48.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45190 (GCVE-0-2026-45190)
Vulnerability from cvelistv5 – Published: 2026-05-10 20:15 – Updated: 2026-05-12 14:31
VLAI
EPSS
VEX
Title
Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass
Summary
Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass.
Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result.
Example:
my $cidr = Net::CIDR::Lite->new();
$cidr->add("::1\n/128");
$cidr->find("::1a"); # incorrectly returns true
See also CVE-2026-45191.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1289 - Improper Validation of Unsafe Equivalence in Input
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/stigtsp/Net-CIDR-Lite/commit/c… | patch |
| https://metacpan.org/release/STIGTSP/Net-CIDR-Lit… | release-notes |
| https://www.cve.org/CVERecord?id=CVE-2026-45191 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| STIGTSP | Net::CIDR::Lite |
Affected:
0 , < 0.24
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45190",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T14:30:52.674727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T14:31:01.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-CIDR-Lite",
"product": "Net::CIDR::Lite",
"programFiles": [
"Lite.pm"
],
"programRoutines": [
{
"name": "Net::CIDR::Lite::add"
},
{
"name": "Net::CIDR::Lite::_pack_ipv4"
},
{
"name": "Net::CIDR::Lite::_pack_ipv6"
}
],
"repo": "https://github.com/stigtsp/Net-CIDR-Lite",
"vendor": "STIGTSP",
"versions": [
{
"lessThan": "0.24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass.\n\nInputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result.\n\nExample:\n\n my $cidr = Net::CIDR::Lite-\u003enew();\n $cidr-\u003eadd(\"::1\\n/128\");\n $cidr-\u003efind(\"::1a\"); # incorrectly returns true\n\nSee also CVE-2026-45191."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289 Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T20:15:24.721Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/stigtsp/Net-CIDR-Lite/commit/ca9542adec87110556601d7ce48381ea8d13e692.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45191"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 0.24 or newer, or apply the patch provided."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-10T00:00:00.000Z",
"value": "Vulnerability found"
},
{
"lang": "en",
"time": "2026-05-10T00:00:00.000Z",
"value": "Net-CIDR-Lite version 0.24 released"
}
],
"title": "Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-45190",
"datePublished": "2026-05-10T20:15:24.721Z",
"dateReserved": "2026-05-10T16:36:05.708Z",
"dateUpdated": "2026-05-12T14:31:01.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42462 (GCVE-0-2026-42462)
Vulnerability from cvelistv5 – Published: 2026-06-10 20:22 – Updated: 2026-06-11 13:34
VLAI
EPSS
VEX
Title
Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring
Summary
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/fedify-dev/fedify/security/adv… | x_refsource_CONFIRM |
| https://github.com/fedify-dev/fedify/releases/tag/2.2.3 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fedify-dev | fedify |
Affected:
>= 2.2.0, < 2.2.3
Affected: >= 2.1.0, < 2.1.14 Affected: >= 2.0.0, < 2.0.18 Affected: >= 1.10.0, < 1.10.10 Affected: < 1.9.11 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42462",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T13:31:40.827057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T13:34:03.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fedify",
"vendor": "fedify-dev",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.2.0, \u003c 2.2.3"
},
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 2.1.14"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.0.18"
},
{
"status": "affected",
"version": "\u003e= 1.10.0, \u003c 1.10.10"
},
{
"status": "affected",
"version": "\u003c 1.9.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-180",
"description": "CWE-180: Incorrect Behavior Order: Validate Before Canonicalize",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T20:22:35.383Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-9rfg-v8g9-9367",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-9rfg-v8g9-9367"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/2.2.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/2.2.3"
}
],
"source": {
"advisory": "GHSA-9rfg-v8g9-9367",
"discovery": "UNKNOWN"
},
"title": "Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42462",
"datePublished": "2026-06-10T20:22:35.383Z",
"dateReserved": "2026-04-27T13:55:58.694Z",
"dateUpdated": "2026-06-11T13:34:03.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41239 (GCVE-0-2026-41239)
Vulnerability from cvelistv5 – Published: 2026-04-23 14:47 – Updated: 2026-04-25 01:21
VLAI
EPSS
VEX
Title
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
Summary
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGMENT`, allowing XSS via template-evaluating frameworks like Vue 2. Version 3.4.0 patches the issue.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/cure53/DOMPurify/security/advi… | x_refsource_CONFIRM |
| https://github.com/cure53/DOMPurify/releases/tag/3.4.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41239",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-25T01:21:32.614113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-25T01:21:43.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DOMPurify",
"vendor": "cure53",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.10, \u003c 3.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGMENT`, allowing XSS via template-evaluating frameworks like Vue 2. Version 3.4.0 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T14:47:56.129Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-crv5-9vww-q3g8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-crv5-9vww-q3g8"
},
{
"name": "https://github.com/cure53/DOMPurify/releases/tag/3.4.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cure53/DOMPurify/releases/tag/3.4.0"
}
],
"source": {
"advisory": "GHSA-crv5-9vww-q3g8",
"discovery": "UNKNOWN"
},
"title": "DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41239",
"datePublished": "2026-04-23T14:47:56.129Z",
"dateReserved": "2026-04-18T03:47:03.135Z",
"dateUpdated": "2026-04-25T01:21:43.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41213 (GCVE-0-2026-41213)
Vulnerability from cvelistv5 – Published: 2026-04-23 18:33 – Updated: 2026-04-25 01:23
VLAI
EPSS
VEX
Title
@node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes
Summary
@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds.
Severity
5.9 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/node-oauth/node-oauth2-server/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| node-oauth | node-oauth2-server |
Affected:
< 5.3.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41213",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-25T01:23:23.060024Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-25T01:23:58.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "node-oauth2-server",
"vendor": "node-oauth",
"versions": [
{
"status": "affected",
"version": "\u003c 5.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T18:33:42.365Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf"
}
],
"source": {
"advisory": "GHSA-jhm7-29pj-4xvf",
"discovery": "UNKNOWN"
},
"title": "@node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41213",
"datePublished": "2026-04-23T18:33:42.365Z",
"dateReserved": "2026-04-18T02:51:52.975Z",
"dateUpdated": "2026-04-25T01:23:58.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation MIT-5
Implementation
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
No CAPEC attack patterns related to this CWE.