CVE-2026-59713
EUVD-2026-4194106.07.2026, 21:16
Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation, logging victims in as the attacker.
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| leantime | leantime | 𝑥 ≤ 3.4.4 | CNA |
Common Weakness Enumeration