CSRF in Pac4j

CVE-2026-40458

PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides wit…

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.000 (0.4th percentile) — read the EPSS interpretation.

Affected products

Pac4j — versions 5.0, 6.0

Weakness classification (CWE)

CWE-352 — Cross-Site Request Forgery (CSRF)

References

cert.pl/en/posts/2026/04/CVE-2026-40458/ (third-party-advisory)
www.pac4j.org/blog/security-advisory-pac4j-core-and-ldap.html (vendor-advisory)