CVE-2026-48991 XianYuLauncher CVE debrief

Who should care

Users of XianYuLauncher, especially those handling sensitive authentication information, should be aware of this vulnerability. Updating to version 1.5.5 or later is recommended to prevent potential exposure of sensitive authentication artifacts.

Technical summary

The XianYuLauncher vulnerability (CVE-2026-48991) arises from its reliance on a fixed localhost redirect URI without implementing Proof Key for Code Exchange (PKCE) or state validation. This oversight allows for the potential exposure of sensitive authentication artifacts during the login process under certain local attack conditions. The CVSS score for this vulnerability is 5.5, indicating a medium severity level. The vulnerability has been fixed in version 1.5.5 of the launcher.

Defensive priority

Medium

Recommended defensive actions

• Update XianYuLauncher to version 1.5.5 or later.
• Use secure authentication practices, including implementing PKCE and state validation for authentication flows.
• Monitor local network traffic for potential interception attempts.
• Ensure that the launcher is used in a secure environment, protected from local attacks.
• Regularly review and update software dependencies to ensure the latest security patches are applied.
• Consider using additional security measures, such as two-factor authentication, to enhance login security.

Evidence notes

The information provided is based on the CVE record and NVD details for CVE-2026-48991. The vulnerability was published on June 17, 2026, and modified on June 18, 2026. References to the fix in version 1.5.5 and details about the vulnerability can be found in the GitHub pull request and security advisory.

Official resources