Ghostwire

CVE-2026-59713: Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without...

HIGH CVSS 0.0

Published: July 6, 2026 | Last Modified: July 6, 2026

Description

Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation, logging victims in as the attacker.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (1 articles)

References