GSSA-2026-04-P1V3KV2026-04-255.9 Medium
Non-constant-time CSRF token comparison and lax hex parsing in cobc-events
The CSRF middleware in cobc-events <1.0.1 compared the cookie nonce with `!==` before the timing-safe HMAC check and accepted malformed hex input, leaking timing data and weakening token verification.
The CSRF middleware in cobc-events <1.0.1 compared the cookie nonce with !== before the timing-safe HMAC check and accepted malformed hex input, leaking timing data and weakening token verification.