{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-9733/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-23T14:18:05.692Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-9733","@id":"https://www.cve.org/CVERecord?id=CVE-2026-9733","description":"Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter.\n\nWhen no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time (which is leaked via the HTTP Date header) and a call to Perl's built-in rand function.\n\nA predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF)."},"products":[{"@id":"cpe:2.3:a:hayajo:mojolicious\\:\\:plugin\\:\\:web\\:\\:auth\\:\\:oauth2:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:hayajo:mojolicious\\:\\:plugin\\:\\:web\\:\\:auth\\:\\:oauth2:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-23T14:18:05.692Z"}]}