CVE-2026-48991
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
XianYuLauncher is a Minecraft Java Edition launcher, in versions prior to 1.5.5, there was a risk of exposing sensitive authentication artifacts during a user-initiated login under certain local attack conditions. Affected versions relied on a fixed localhost redirect URI without PKCE or state validation.
Risk Assessment
The risk to the organization is the potential for an attacker to intercept sensitive authentication data by observing or interfering with the local authentication flow on the same device.
Recommendation
It is recommended to upgrade to version 1.5.5 or later to mitigate this vulnerability and secure the login process.
Original NVD description (English source)
XianYuLauncher is a Minecraft Java Edition launcher. In versions prior to 1.5.5, sensitive authentication artifacts could be exposed during a user-initiated login under certain local attack conditions. Affected versions relied on a fixed localhost redirect URI without PKCE or state validation. Exploitation is most likely to occur when an attacker is able to observe, intercept, or otherwise interfere with the local authentication flow on the same device. This issue has been fixed in version 1.5.5.

