XianYuLauncher is a Minecraft Java Edition launcher. In versions prior to 1.5.5, sensitive authentication artifacts could be exposed during a user-initiated login under certain local attack conditions. Affected versions relied on a fixed localhost redirect URI without PKCE or state validation. Exploitation is most likely to occur when an attacker is able to observe, intercept, or otherwise interfere with the local authentication flow on the same device. This issue has been fixed in version 1.5.5.
CVE-2026-48991
This medium-severity CVE scores 5.5 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit probability: 0.1%, top 97% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- Lower severity and no public exploit yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 5.5
- EG Score
- 5.5(medium)
- EPSS
- 2.7%
- KEV
- Not listed
Published
June 17, 2026
Last Modified
June 22, 2026
Advisory Details (2)
Auto-updated Jun 17, 2026Legacy Microsoft account OAuth sign-in flow lacks PKCE and state validation · Advisory · XianYuLauncher/XianYuLauncher · GitHub
https://github.com/XianYuLauncher/XianYuLauncher/security/advisories/GHSA-q6r9-qxmf-8hfxfix: msal oauth hardening
Fix merged in XianYuLauncher/XianYuLauncher PR #213 on 2026-05-17 — awaiting tagged release
https://github.com/XianYuLauncher/XianYuLauncher/pull/213Related CVEs(same CWE)
Frequently asked(5)
What is CVE-2026-48991?
When was CVE-2026-48991 disclosed?
Is CVE-2026-48991 actively exploited?
What is the CVSS score of CVE-2026-48991?
How do I remediate CVE-2026-48991?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-48991
Is Your Infrastructure Affected by CVE-2026-48991?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.