GHSA-vwm8-rprj-29f7HighCVSS 8.1

Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that...

Published
July 6, 2026
Last Modified
July 6, 2026

🔗 CVE IDs covered (1)

📋 Description

Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation, logging victims in as the attacker.

🔗 References (6)