Back to overview

CVE-2026-13410

HIGH
8.2
CVSS 3.1
Description
Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled. The default user agent is initialised with SSL_verify_mode explicitly disabled. An attacker with network man-in-the-middle (MITM) capability between the Dancer application and googleapis.com can intercept the OAuth2 token exchange and userinfo fetch, return a forged access_token and user profile, and be logged in to the Dancer application as any Google user.

Metadata

CVE ID
CVE-2026-13410
State
PUBLISHED
Assigner
CPANSec
Reserved
2026-06-26 10:06 UTC
Published
2026-07-17 12:50 UTC
Last updated
2026-07-17 17:32 UTC
Primary CWE
CWE-295
CWE-295 Improper Certificate Validation
Vendor / Product
GARU / Dancer::Plugin::Auth::Google
Sources
cve.org  ·  NVD

Severity & Metrics

8.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
GARU Dancer::Plugin::Auth::Google 0 ≤ 0.07
Weakness (CWE)
CWESourceDescription
CWE-295 cna CWE-295 Improper Certificate Validation
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.2 HIGH 3.1 adp CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
Back to overview