CVE Catalog

CVE-2026-48991

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile — higher than 3% of all known CVEs

Summary

XianYuLauncher is a Minecraft Java Edition launcher, in versions prior to 1.5.5, there was a risk of exposing sensitive authentication artifacts during a user-initiated login under certain local attack conditions. Affected versions relied on a fixed localhost redirect URI without PKCE or state validation.

Risk Assessment

The risk to the organization is the potential for an attacker to intercept sensitive authentication data by observing or interfering with the local authentication flow on the same device.

Recommendation

It is recommended to upgrade to version 1.5.5 or later to mitigate this vulnerability and secure the login process.

Original NVD description (English source)

XianYuLauncher is a Minecraft Java Edition launcher. In versions prior to 1.5.5, sensitive authentication artifacts could be exposed during a user-initiated login under certain local attack conditions. Affected versions relied on a fixed localhost redirect URI without PKCE or state validation. Exploitation is most likely to occur when an attacker is able to observe, intercept, or otherwise interfere with the local authentication flow on the same device. This issue has been fixed in version 1.5.5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS