Vulnerability in Roadiz Core-bundle-dev-app

CVE-2026-42206

Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the aut…

EPSS: 0.000 (6.1th percentile) — read the EPSS interpretation.

Affected products

Roadiz Core-bundle-dev-app — versions < 2.3.43, >= 2.5.0, < 2.5.45, >= 2.6.0, < 2.6.31

Weakness classification (CWE)

CWE-345 — Insufficient Verification of Data Authenticity

References

security-advisories@github.com (x_refsource_CONFIRM)