Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
83 vulnerabilities
CVE-2026-40199 (GCVE-0-2026-40199)
Vulnerability from cvelistv5 – Published: 2026-04-10 21:49 – Updated: 2026-04-10 21:49
VLAI?
Title
Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass
Summary
Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass.
_pack_ipv6() includes the sentinel byte from _pack_ipv4() when building the packed representation of IPv4 mapped addresses like ::ffff:192.168.1.1. This produces an 18 byte value instead of 17 bytes, misaligning the IPv4 part of the address.
The wrong length causes incorrect results in mask operations (bitwise AND truncates to the shorter operand) and in find() / bin_find() which use Perl string comparison (lt/gt). This can cause find() to incorrectly match or miss addresses.
Example:
my $cidr = Net::CIDR::Lite->new("::ffff:192.168.1.0/120");
$cidr->find("::ffff:192.168.2.0"); # incorrectly returns true
This is triggered by valid RFC 4291 IPv4 mapped addresses (::ffff:x.x.x.x).
See also CVE-2026-40198, a related issue in the same function affecting malformed IPv6 addresses.
Severity ?
No CVSS data available.
CWE
- CWE-130 - Improper Handling of Length Parameter Inconsistency
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| STIGTSP | Net::CIDR::Lite |
Affected:
0 , < 0.23
(custom)
|
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-CIDR-Lite",
"product": "Net::CIDR::Lite",
"programFiles": [
"Lite.pm"
],
"programRoutines": [
{
"name": "Net::CIDR::Lite::_pack_ipv6"
}
],
"repo": "https://github.com/stigtsp/Net-CIDR-Lite",
"vendor": "STIGTSP",
"versions": [
{
"lessThan": "0.23",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass.\n\n_pack_ipv6() includes the sentinel byte from _pack_ipv4() when building the packed representation of IPv4 mapped addresses like ::ffff:192.168.1.1. This produces an 18 byte value instead of 17 bytes, misaligning the IPv4 part of the address.\n\nThe wrong length causes incorrect results in mask operations (bitwise AND truncates to the shorter operand) and in find() / bin_find() which use Perl string comparison (lt/gt). This can cause find() to incorrectly match or miss addresses.\n\nExample:\n\n my $cidr = Net::CIDR::Lite-\u003enew(\"::ffff:192.168.1.0/120\");\n $cidr-\u003efind(\"::ffff:192.168.2.0\"); # incorrectly returns true\n\nThis is triggered by valid RFC 4291 IPv4 mapped addresses (::ffff:x.x.x.x).\n\nSee also CVE-2026-40198, a related issue in the same function affecting malformed IPv6 addresses."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130 Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T21:49:48.353Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/stigtsp/Net-CIDR-Lite/commit/b7166b1fa17b3b14b4c795ace5b3fbf71a0bd04a.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.23/changes"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40198"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 0.23 or newer, or apply the patch provided."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-04-09T00:00:00.000Z",
"value": "Vulnerability found"
},
{
"lang": "en",
"time": "2026-04-10T00:00:00.000Z",
"value": "Net-CIDR-Lite version 0.23 released"
}
],
"title": "Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-40199",
"datePublished": "2026-04-10T21:49:48.353Z",
"dateReserved": "2026-04-09T22:12:06.334Z",
"dateUpdated": "2026-04-10T21:49:48.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40198 (GCVE-0-2026-40198)
Vulnerability from cvelistv5 – Published: 2026-04-10 21:42 – Updated: 2026-04-10 21:42
VLAI?
Title
Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass
Summary
Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass.
_pack_ipv6() does not check that uncompressed IPv6 addresses (without ::) have exactly 8 hex groups. Inputs like "abcd", "1:2:3", or "1:2:3:4:5:6:7" are accepted and produce packed values of wrong length (3, 7, or 15 bytes instead of 17).
The packed values are used internally for mask and comparison operations. find() and bin_find() use Perl string comparison (lt/gt) on these values, and comparing strings of different lengths gives wrong results. This can cause find() to incorrectly report an address as inside or outside a range.
Example:
my $cidr = Net::CIDR::Lite->new("::/8");
$cidr->find("1:2:3"); # invalid input, incorrectly returns true
This is the same class of input validation issue as CVE-2021-47154 (IPv4 leading zeros) previously fixed in this module.
See also CVE-2026-40199, a related issue in the same function affecting IPv4 mapped IPv6 addresses.
Severity ?
No CVSS data available.
CWE
- CWE-1286 - Improper Validation of Syntactic Correctness of Input
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| STIGTSP | Net::CIDR::Lite |
Affected:
0 , < 0.23
(custom)
|
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-CIDR-Lite",
"product": "Net::CIDR::Lite",
"programFiles": [
"Lite.pm"
],
"programRoutines": [
{
"name": "Net::CIDR::Lite::_pack_ipv6"
}
],
"repo": "https://github.com/stigtsp/Net-CIDR-Lite",
"vendor": "STIGTSP",
"versions": [
{
"lessThan": "0.23",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass.\n\n_pack_ipv6() does not check that uncompressed IPv6 addresses (without ::) have exactly 8 hex groups. Inputs like \"abcd\", \"1:2:3\", or \"1:2:3:4:5:6:7\" are accepted and produce packed values of wrong length (3, 7, or 15 bytes instead of 17).\n\nThe packed values are used internally for mask and comparison operations. find() and bin_find() use Perl string comparison (lt/gt) on these values, and comparing strings of different lengths gives wrong results. This can cause find() to incorrectly report an address as inside or outside a range.\n\nExample:\n\n my $cidr = Net::CIDR::Lite-\u003enew(\"::/8\");\n $cidr-\u003efind(\"1:2:3\"); # invalid input, incorrectly returns true\n\nThis is the same class of input validation issue as CVE-2021-47154 (IPv4 leading zeros) previously fixed in this module.\n\nSee also CVE-2026-40199, a related issue in the same function affecting IPv4 mapped IPv6 addresses."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1286",
"description": "CWE-1286 Improper Validation of Syntactic Correctness of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T21:42:06.835Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/stigtsp/Net-CIDR-Lite/commit/25d65f85dbe4885959a10471725ec9d250a589c3.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.23/changes"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40199"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 0.23 or newer, or apply the patch provided."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-04-09T00:00:00.000Z",
"value": "Vulnerability found"
},
{
"lang": "en",
"time": "2026-04-10T00:00:00.000Z",
"value": "Net-CIDR-Lite version 0.23 released"
}
],
"title": "Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-40198",
"datePublished": "2026-04-10T21:42:06.835Z",
"dateReserved": "2026-04-09T22:12:06.334Z",
"dateUpdated": "2026-04-10T21:42:06.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5083 (GCVE-0-2026-5083)
Vulnerability from cvelistv5 – Published: 2026-04-08 05:53 – Updated: 2026-04-08 17:24
VLAI?
Title
Ado::Sessions versions through 0.935 for Perl generates insecure session ids
Summary
Ado::Sessions versions through 0.935 for Perl generates insecure session ids.
The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
Predicable session ids could allow an attacker to gain access to systems.
Note that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN.
Severity ?
5.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| BEROV | Ado::Sessions |
Affected:
0 , ≤ 0.935
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T16:08:27.234472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:08:29.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:13.917Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/08/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Ado",
"product": "Ado::Sessions",
"programFiles": [
"lib/Ado/Session.pm"
],
"programRoutines": [
{
"name": "Ado::Sessions::generate_id"
}
],
"repo": "https://github.com/kberov/Ado",
"vendor": "BEROV",
"versions": [
{
"lessThanOrEqual": "0.935",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ado::Sessions versions through 0.935 for Perl generates insecure session ids.\n\nThe session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredicable session ids could allow an attacker to gain access to systems.\n\nNote that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-340",
"description": "CWE-340 Generation of Predictable Numbers or Identifiers",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T05:53:16.963Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/kberov/Ado/issues/112"
},
{
"url": "https://backpan.perl.org/authors/id/B/BE/BEROV/Ado-0.935.tar.gz"
},
{
"tags": [
"technical-description"
],
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2017-09-02T00:00:00.000Z",
"value": "Last version of Ado was released on CPAN."
},
{
"lang": "en",
"time": "2018-09-24T00:00:00.000Z",
"value": "Announcement that Ado will not be updated anymore."
}
],
"title": "Ado::Sessions versions through 0.935 for Perl generates insecure session ids",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-5083",
"datePublished": "2026-04-08T05:53:16.963Z",
"dateReserved": "2026-03-28T19:14:30.969Z",
"dateUpdated": "2026-04-08T17:24:13.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5082 (GCVE-0-2026-5082)
Vulnerability from cvelistv5 – Published: 2026-04-08 05:48 – Updated: 2026-04-08 16:09
VLAI?
Title
Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id
Summary
Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id.
The generate_session_id function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
Amon2::Plugin::Web::CSRFDefender versions before 7.00 were part of Amon2, which was vulnerable to insecure session ids due to CVE-2025-15604.
Note that the author has deprecated this module.
Severity ?
5.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TOKUHIROM | Amon2::Plugin::Web::CSRFDefender |
Affected:
7.00 , ≤ 7.03
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T16:09:08.752556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:09:26.357Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Amon2-Plugin-Web-CSRFDefender",
"product": "Amon2::Plugin::Web::CSRFDefender",
"programFiles": [
"lib/Amon2/Plugin/Web/CSRFDefender/Random.pm"
],
"programRoutines": [
{
"name": "Amon2::Plugin::Web::CSRFDefender::Random::generate_session_id"
}
],
"repo": "https://github.com/tokuhirom/Amon2-Plugin-Web-CSRFDefender",
"vendor": "TOKUHIROM",
"versions": [
{
"lessThanOrEqual": "7.03",
"status": "affected",
"version": "7.00",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id.\n\nThe generate_session_id function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nAmon2::Plugin::Web::CSRFDefender versions before 7.00 were part of Amon2, which was vulnerable to insecure session ids due to CVE-2025-15604.\n\nNote that the author has deprecated this module."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-340",
"description": "CWE-340 Generation of Predictable Numbers or Identifiers",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T05:48:43.633Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/TOKUHIROM/Amon2-Plugin-Web-CSRFDefender-7.03/source/lib/Amon2/Plugin/Web/CSRFDefender/Random.pm"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TOKUHIROM/Amon2-Plugin-Web-CSRFDefender-7.04/changes"
},
{
"tags": [
"related",
"vendor-advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15604"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Amon2::Plugin::Web::CSRFDefender version 7.04 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-5082",
"datePublished": "2026-04-08T05:48:43.633Z",
"dateReserved": "2026-03-28T19:12:35.387Z",
"dateUpdated": "2026-04-08T16:09:26.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5087 (GCVE-0-2026-5087)
Vulnerability from cvelistv5 – Published: 2026-03-31 16:03 – Updated: 2026-04-01 14:43
VLAI?
Title
PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely
Summary
PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely.
PAGI::Middleware::Session::Store::Cookie attempts to read bytes from the /dev/urandom device directly. If that fails (for example, on systems without the device, such as Windows), then it will emit a warning that recommends the user install Crypt::URandom, and then return a string of random bytes generated by the built-in rand function, which is unsuitable for cryptographic applications.
This modules does not use the Crypt::URandom module, and installing it will not fix the problem.
The random bytes are used for generating an initialisation vector (IV) to encrypt the cookie.
A predictable IV may make it easier for malicious users to decrypt and tamper with the session data that is stored in the cookie.
Severity ?
7.5 (High)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| JJNAPIORK | PAGI::Middleware::Session::Store::Cookie |
Affected:
0 , ≤ 0.001003
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-31T18:18:48.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/31/10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T14:40:20.356872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:43:35.295Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "PAGI-Middleware-Session-Store-Cookie",
"product": "PAGI::Middleware::Session::Store::Cookie",
"programFiles": [
"lib/PAGI/Middleware/Session/Store/Cookie.pm"
],
"programRoutines": [
{
"name": "PAGI::Middleware::Session::Store::Cookie::_random_bytes"
}
],
"repo": "https://github.com/jjn1056/PAGI-Middleware-Session-Store-Cookie",
"vendor": "JJNAPIORK",
"versions": [
{
"lessThanOrEqual": "0.001003",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely.\n\nPAGI::Middleware::Session::Store::Cookie attempts to read bytes from the /dev/urandom device directly. If that fails (for example, on systems without the device, such as Windows), then it will emit a warning that recommends the user install Crypt::URandom, and then return a string of random bytes generated by the built-in rand function, which is unsuitable for cryptographic applications.\n\nThis modules does not use the Crypt::URandom module, and installing it will not fix the problem.\n\nThe random bytes are used for generating an initialisation vector (IV) to encrypt the cookie.\n\nA predictable IV may make it easier for malicious users to decrypt and tamper with the session data that is stored in the cookie."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1204",
"description": "CWE-1204 Generation of Weak Initialization Vector (IV)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T16:03:08.278Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/JJNAPIORK/PAGI-Middleware-Session-Store-Cookie-0.001003/source/lib/PAGI/Middleware/Session/Store/Cookie.pm#L156-173"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/JJNAPIORK/PAGI-Middleware-Session-Store-Cookie-0.001004/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 0.001004 or newer."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-5087",
"datePublished": "2026-03-31T16:03:08.278Z",
"dateReserved": "2026-03-28T19:29:58.433Z",
"dateUpdated": "2026-04-01T14:43:35.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-14031 (GCVE-0-2024-14031)
Vulnerability from cvelistv5 – Published: 2026-03-31 11:31 – Updated: 2026-04-01 16:30
VLAI?
Title
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library
Summary
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.
Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Severity ?
8.1 (High)
CWE
- CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YVES | Sereal::Encoder |
Affected:
4.000 , ≤ 4.009_002
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-14031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T14:19:21.141997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:19:27.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Sereal-Encoder",
"product": "Sereal::Encoder",
"repo": "https://github.com/Sereal/Sereal",
"vendor": "YVES",
"versions": [
{
"lessThanOrEqual": "4.009_002",
"status": "affected",
"version": "4.000",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.\n\nSereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:30:00.649Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/advisories/GHSA-w77f-wv46-4vcx"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11922"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/YVES/Sereal-Encoder-4.010/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Sereal::Encoder version 4.010 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2017-02-06T00:00:00.000Z",
"value": "Sereal::Encoder version 4.001_001 released."
},
{
"lang": "en",
"time": "2018-12-27T00:00:00.000Z",
"value": "Zstandard 1.3.8 released."
},
{
"lang": "en",
"time": "2019-07-25T00:00:00.000Z",
"value": "CVE-2019-11922 for Zstandard published"
},
{
"lang": "en",
"time": "2020-02-04T00:00:00.000Z",
"value": "Sereal::Encoder version 4.010 released."
},
{
"lang": "en",
"time": "2023-02-09T00:00:00.000Z",
"value": "Advisory added to the CPANSA database."
},
{
"lang": "en",
"time": "2024-02-17T00:00:00.000Z",
"value": "Advisory updated in the CPANSA database."
}
],
"title": "Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-14031",
"datePublished": "2026-03-31T11:31:28.100Z",
"dateReserved": "2026-03-29T15:12:06.674Z",
"dateUpdated": "2026-04-01T16:30:00.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-14030 (GCVE-0-2024-14030)
Vulnerability from cvelistv5 – Published: 2026-03-31 11:31 – Updated: 2026-04-01 16:29
VLAI?
Title
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library
Summary
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.
Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Severity ?
8.1 (High)
CWE
- CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YVES | Sereal::Decoder |
Affected:
4.000 , ≤ 4.009_002
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-14030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T14:18:18.323057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:18:55.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Sereal-Decoder",
"product": "Sereal::Decoder",
"repo": "https://github.com/Sereal/Sereal",
"vendor": "YVES",
"versions": [
{
"lessThanOrEqual": "4.009_002",
"status": "affected",
"version": "4.000",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.\n\nSereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:29:33.903Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/advisories/GHSA-w77f-wv46-4vcx"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11922"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/YVES/Sereal-Decoder-4.010/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Sereal::Decoder version 4.010 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2017-02-06T00:00:00.000Z",
"value": "Sereal::Decoder version 4.001_001 released."
},
{
"lang": "en",
"time": "2018-12-27T00:00:00.000Z",
"value": "Zstandard 1.3.8 released."
},
{
"lang": "en",
"time": "2019-07-25T00:00:00.000Z",
"value": "CVE-2019-11922 for Zstandard published"
},
{
"lang": "en",
"time": "2020-02-04T00:00:00.000Z",
"value": "Sereal::Decoder version 4.010 released."
},
{
"lang": "en",
"time": "2023-02-09T00:00:00.000Z",
"value": "Advisory added to the CPANSA database."
},
{
"lang": "en",
"time": "2024-02-17T00:00:00.000Z",
"value": "Advisory updated in the CPANSA database."
}
],
"title": "Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-14030",
"datePublished": "2026-03-31T11:31:08.541Z",
"dateReserved": "2026-03-28T19:49:07.023Z",
"dateUpdated": "2026-04-01T16:29:33.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15618 (GCVE-0-2025-15618)
Vulnerability from cvelistv5 – Published: 2026-03-31 10:04 – Updated: 2026-03-31 18:18
VLAI?
Title
Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key
Summary
Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.
Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.
This key is intended for encrypting credit card transaction data.
Severity ?
9.1 (Critical)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MOCK | Business::OnlinePayment::StoredTransaction |
Affected:
0 , ≤ 0.01
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-15618",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T14:42:57.742486Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:43:15.408Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-03-31T18:18:47.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/31/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Business-OnlinePayment-StoredTransaction",
"product": "Business::OnlinePayment::StoredTransaction",
"programRoutines": [
{
"name": "Business::OnlinePayment::StoredTransaction::submit"
}
],
"vendor": "MOCK",
"versions": [
{
"lessThanOrEqual": "0.01",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key.\n\nBusiness::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsuitable for cryptographic use.\n\nThis key is intended for encrypting credit card transaction data."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693 Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T10:04:34.763Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/dist/Business-OnlinePayment-StoredTransaction/source/lib/Business/OnlinePayment/StoredTransaction.pm#L64-75"
},
{
"url": "https://security.metacpan.org/patches/B/Business-OnlinePayment-StoredTransaction/0.01/CVE-2025-15618-r1.patch"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key",
"workarounds": [
{
"lang": "en",
"value": "Apply the patch that uses Crypt::URandom to generate a secret key."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-15618",
"datePublished": "2026-03-31T10:04:34.763Z",
"dateReserved": "2026-03-29T14:46:35.859Z",
"dateUpdated": "2026-03-31T18:18:47.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4176 (GCVE-0-2026-4176)
Vulnerability from cvelistv5 – Published: 2026-03-29 20:50 – Updated: 2026-03-30 15:35
VLAI?
Title
Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib
Summary
Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib.
Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.
Severity ?
9.8 (Critical)
CWE
- CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
Credits
Bernhard Schmalhofer
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-30T04:56:37.564Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/30/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4176",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T15:34:29.395269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T15:35:08.162Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "perl",
"product": "perl",
"repo": "https://github.com/Perl/perl5",
"vendor": "SHAY",
"versions": [
{
"lessThan": "5.40.4-RC1",
"status": "affected",
"version": "5.9.4",
"versionType": "custom"
},
{
"lessThan": "5.42.2-RC1",
"status": "affected",
"version": "5.41.0",
"versionType": "custom"
},
{
"lessThan": "5.43.9",
"status": "affected",
"version": "5.43.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Bernhard Schmalhofer"
}
],
"descriptions": [
{
"lang": "en",
"value": "Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib.\n\nCompress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-29T20:50:51.058Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"vendor-advisory",
"related",
"vdb-entry"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3381"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.security.metacpan.org/cve-announce/msg/37638919/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/Perl/perl5/commit/c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/PMQS/Compress-Raw-Zlib-2.221/source/Changes"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/SHAY/perl-5.40.4/changes"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/SHAY/perl-5.42.2/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to Perl stable release 5.40.4 or 5.42.2 or later, which include Compress::Raw::Zlib 2.222."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-02-27T00:00:00.000Z",
"value": "Compress::Raw::Zlib 2.221 committed to Perl blead."
},
{
"lang": "en",
"time": "2026-03-07T00:00:00.000Z",
"value": "CVE-2026-3381 published for Compress::Raw::Zlib."
},
{
"lang": "en",
"time": "2026-03-14T00:00:00.000Z",
"value": "CVE-2026-4176 reserved."
},
{
"lang": "en",
"time": "2026-03-29T00:00:00.000Z",
"value": "Perl 5.40.4 and 5.42.2 released."
}
],
"title": "Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib",
"workarounds": [
{
"lang": "en",
"value": "Install Compress::Raw::Zlib 2.220 or later into your @INC include path, so it takes precedence over the vulnerable core module shipped with Perl.\n\nSome OS distributions patch their perl package to build Compress::Raw::Zlib against the system zlib rather than the vendored copy. Users of these distributions may not be affected if their system zlib has been updated to 1.3.2 or later, or includes backported patches for the relevant vulnerabilities."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-4176",
"datePublished": "2026-03-29T20:50:51.058Z",
"dateReserved": "2026-03-14T16:17:19.077Z",
"dateUpdated": "2026-03-30T15:35:08.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4851 (GCVE-0-2026-4851)
Vulnerability from cvelistv5 – Published: 2026-03-29 00:22 – Updated: 2026-04-01 14:17
VLAI?
Title
GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization
Summary
GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization.
GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol.
read_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval()
$arg .= '$VAR1';
my $val = eval "no strict; $arg"; # line 40-41
$arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response:
$VAR1 = do { system("..."); };
This executes on the client silently on every RPC call, as the return values remain correct.
This functionality is by design but the trust requirement for the remote host is not documented in the distribution.
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CASIANO | GRID::Machine |
Affected:
0 , ≤ 0.127
(custom)
|
Credits
Pied Crow crow@cpan.org
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-29T00:23:56.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/26/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4851",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T14:17:04.307893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:17:48.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "GRID-Machine",
"product": "GRID::Machine",
"programFiles": [
"lib/GRID/Machine/Message.pm"
],
"programRoutines": [
{
"name": "GRID::Machine::read_operation()"
}
],
"vendor": "CASIANO",
"versions": [
{
"lessThanOrEqual": "0.127",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pied Crow crow@cpan.org"
}
],
"descriptions": [
{
"lang": "en",
"value": "GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization.\n\nGRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol.\n\nread_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval()\n\n $arg .= \u0027$VAR1\u0027;\n my $val = eval \"no strict; $arg\"; # line 40-41\n\n$arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response:\n\n $VAR1 = do { system(\"...\"); };\n\nThis executes on the client silently on every RPC call, as the return values remain correct.\n\nThis functionality is by design but the trust requirement for the remote host is not documented in the distribution."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-29T00:22:22.578Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2026/03/26/6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-03-24T00:00:00.000Z",
"value": "Vulnerability reported to module author and CPANSec"
},
{
"lang": "en",
"time": "2026-03-25T00:00:00.000Z",
"value": "CVE assigned by CPANSec"
},
{
"lang": "en",
"time": "2026-03-26T00:00:00.000Z",
"value": "Author confirmed module is unmaintained, no fix available"
},
{
"lang": "en",
"time": "2026-03-26T00:00:00.000Z",
"value": "Disclosed on oss-security mailing list"
}
],
"title": "GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization",
"workarounds": [
{
"lang": "en",
"value": "There is no fix available. If used, only connect to trusted remote hosts."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-4851",
"datePublished": "2026-03-29T00:22:22.578Z",
"dateReserved": "2026-03-25T14:56:47.454Z",
"dateUpdated": "2026-04-01T14:17:48.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3256 (GCVE-0-2026-3256)
Vulnerability from cvelistv5 – Published: 2026-03-28 18:52 – Updated: 2026-04-01 14:14
VLAI?
Title
HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids
Summary
HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids.
HTTP::Session defaults to using HTTP::Session::ID::SHA1 to generate session ids using a SHA-1 hash seeded with the built-in rand function, the high resolution epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
The distribution includes HTTP::session::ID::MD5 which contains a similar flaw, but uses the MD5 hash instead.
Severity ?
9.8 (Critical)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| KTAT | HTTP::Session |
Affected:
0 , ≤ 0.53
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-28T20:06:47.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/28/5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T14:14:27.526725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:14:51.886Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "http-session",
"product": "HTTP::Session",
"programRoutines": [
{
"name": "HTTP::Session::ID::SHA1::generate_id"
},
{
"name": "HTTP::Session::ID::MD5::generate_id"
}
],
"repo": "https://github.com/tokuhirom/http-session",
"vendor": "KTAT",
"versions": [
{
"lessThanOrEqual": "0.53",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids.\n\nHTTP::Session defaults to using HTTP::Session::ID::SHA1 to generate session ids using a SHA-1 hash seeded with the built-in rand function, the high resolution epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nThe distribution includes HTTP::session::ID::MD5 which contains a similar flaw, but uses the MD5 hash instead."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-340",
"description": "CWE-340 Generation of Predictable Numbers or Identifiers",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-28T18:52:39.917Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/KTAT/http-session-0.53/source/lib/HTTP/Session/ID/SHA1.pm"
},
{
"url": "https://metacpan.org/release/KTAT/http-session-0.53/source/lib/HTTP/Session/ID/MD5.pm"
},
{
"tags": [
"technical-description"
],
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids",
"workarounds": [
{
"lang": "en",
"value": "Users on systems with a /dev/urandom device should configure the module to use HTTP::Session::ID::Urandom.\n\nUsers on systems without a /dev/urandom (such as Windows) device will need to create custom ID modules that make use of module such as Crypt::SysRandom or Crypt::URandom."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-3256",
"datePublished": "2026-03-28T18:52:39.917Z",
"dateReserved": "2026-02-26T11:59:23.755Z",
"dateUpdated": "2026-04-01T14:14:51.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15604 (GCVE-0-2025-15604)
Vulnerability from cvelistv5 – Published: 2026-03-28 18:43 – Updated: 2026-04-01 14:13
VLAI?
Title
Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions
Summary
Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions.
In versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
Before version 6.06, there was no fallback when /dev/urandom was not available.
Before version 6.04, the random_string function used the built-in rand() function to generate a mixed-case alphanumeric string.
This function may be used for generating session ids, generating secrets for signing or encrypting cookie session data and generating tokens used for Cross Site Request Forgery (CSRF) protection.
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-28T20:06:46.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/28/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-15604",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T14:12:25.901323Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:13:01.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Amon2",
"product": "Amon2",
"programFiles": [
"lib/Amon2/Util.pm"
],
"programRoutines": [
{
"name": "Amon2::Util::random_string"
}
],
"repo": "https://github.com/tokuhirom/Amon",
"vendor": "TOKUHIROM",
"versions": [
{
"lessThan": "6.17",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions.\n\nIn versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nBefore version 6.06, there was no fallback when /dev/urandom was not available.\n\nBefore version 6.04, the random_string function used the built-in rand() function to generate a mixed-case alphanumeric string.\n\nThis function may be used for generating session ids, generating secrets for signing or encrypting cookie session data and generating tokens used for Cross Site Request Forgery (CSRF) protection."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
},
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-340",
"description": "CWE-340 Generation of Predictable Numbers or Identifiers",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-28T18:43:56.318Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/TOKUHIROM/Amon2-6.17/diff/TOKUHIROM/Amon2-6.16#lib/Amon2/Util.pm"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TOKUHIROM/Amon2-6.17/changes"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/tokuhirom/Amon/pull/135"
},
{
"tags": [
"technical-description"
],
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Amon2 version 6.17 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-15604",
"datePublished": "2026-03-28T18:43:56.318Z",
"dateReserved": "2026-03-08T23:56:33.670Z",
"dateUpdated": "2026-04-01T14:13:01.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2014-125112 (GCVE-0-2014-125112)
Vulnerability from cvelistv5 – Published: 2026-03-26 02:04 – Updated: 2026-03-26 14:53
VLAI?
Title
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution
Summary
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.
Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
Severity ?
9.8 (Critical)
CWE
- CWE-565 - Reliance on Cookies without Validation and Integrity Checking
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MIYAGAWA | Plack::Middleware::Session::Cookie |
Affected:
0 , ≤ 0.21
(custom)
|
Credits
mala (@bulkneets)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-26T04:46:57.862Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/26/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2014-125112",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T14:52:33.130571Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T14:53:30.210Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Plack-Middleware-Session",
"product": "Plack::Middleware::Session::Cookie",
"repo": "https://github.com/plack/Plack-Middleware-Session",
"vendor": "MIYAGAWA",
"versions": [
{
"lessThanOrEqual": "0.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "mala (@bulkneets)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-565",
"description": "CWE-565 Reliance on Cookies without Validation and Integrity Checking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T02:04:10.267Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://gist.github.com/miyagawa/2b8764af908a0dacd43d"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \"secret\" option."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2014-08-11T00:00:00.000Z",
"value": "Vulnerability disclosed by MIYAGAWA."
},
{
"lang": "en",
"time": "2014-08-11T00:00:00.000Z",
"value": "Version 0.22 released that warns when the \"secret\" option is not set."
},
{
"lang": "en",
"time": "2014-08-11T00:00:00.000Z",
"value": "Version 0.23-TRIAL released that requires the \"secret\" option to be set."
},
{
"lang": "en",
"time": "2014-09-05T00:00:00.000Z",
"value": "Version 0.24 released. Same as 0.23 but not a trial release."
},
{
"lang": "en",
"time": "2016-02-03T00:00:00.000Z",
"value": "Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \"secret\" option."
},
{
"lang": "en",
"time": "2019-01-26T00:00:00.000Z",
"value": "CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB"
},
{
"lang": "en",
"time": "2019-03-09T00:00:00.000Z",
"value": "CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB"
},
{
"lang": "en",
"time": "2025-07-08T00:00:00.000Z",
"value": "CVE-2014-125112 assigned by CPANSec."
}
],
"title": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution",
"workarounds": [
{
"lang": "en",
"value": "Set the \"secret\" option."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2014-125112",
"datePublished": "2026-03-26T02:04:10.267Z",
"dateReserved": "2025-07-08T15:24:38.840Z",
"dateUpdated": "2026-03-26T14:53:30.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2006-10003 (GCVE-0-2006-10003)
Vulnerability from cvelistv5 – Published: 2026-03-19 11:08 – Updated: 2026-04-04 08:11
VLAI?
Title
XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack
Summary
XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack.
In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer.
The bug can be observed when parsing an XML file with very deep element nesting
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TODDR | XML::Parser |
Affected:
0 , ≤ 2.47
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2006-10003",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-19T17:08:41.621885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T17:09:59.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-04T08:11:42.558Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/19/2"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "XML-Parser",
"product": "XML::Parser",
"programFiles": [
"Expat.xs"
],
"programRoutines": [
{
"name": "startElement"
}
],
"repo": "http://github.com/toddr/XML-Parser",
"vendor": "TODDR",
"versions": [
{
"lessThanOrEqual": "2.47",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack.\n\nIn the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer.\n\nThe bug can be observed when parsing an XML file with very deep element nesting"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-193",
"description": "CWE-193 Off-by-one Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T11:08:04.341Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://rt.cpan.org/Ticket/Display.html?id=19860"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/cpan-authors/XML-Parser/issues/39"
},
{
"tags": [
"patch"
],
"url": "https://github.com/cpan-authors/XML-Parser/commit/3eb9cc95420fa0c3f76947c4708962546bf27cfd.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "Apply the patch that has been publicly available since 2006-06-13 or upgrade to version 2.48 or later when it is released."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2006-06-13T00:00:00.000Z",
"value": "Issue logged and patch provided in Request Tracker for XML::Parser"
},
{
"lang": "en",
"time": "2019-09-23T00:00:00.000Z",
"value": "Issue migrated to github issue tracker"
},
{
"lang": "en",
"time": "2019-09-24T00:00:00.000Z",
"value": "Patch provided in github issue tracker"
},
{
"lang": "en",
"time": "2026-03-16T00:00:00.000Z",
"value": "PR created and commit merged to git repo"
}
],
"title": "XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack",
"workarounds": [
{
"lang": "en",
"value": "Apply the patch that has been publicly available since 2006-06-13."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2006-10003",
"datePublished": "2026-03-19T11:08:04.341Z",
"dateReserved": "2026-03-16T22:52:39.890Z",
"dateUpdated": "2026-04-04T08:11:42.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2006-10002 (GCVE-0-2006-10002)
Vulnerability from cvelistv5 – Published: 2026-03-19 11:03 – Updated: 2026-03-22 23:06
VLAI?
Title
XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes
Summary
XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes.
A :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML input buffer because Perl's read() returns decoded characters while SvPV() gives back multi-byte UTF-8 bytes that can exceed the pre-allocated buffer size. This can cause heap corruption (double free or corruption) and crashes.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TODDR | XML::Parser |
Affected:
0 , ≤ 2.45
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2006-10002",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-19T17:11:03.634936Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T17:11:26.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-03-22T23:06:42.361Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/19/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/22/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "XML-Parser",
"product": "XML::Parser",
"programFiles": [
"Expat.xs"
],
"programRoutines": [
{
"name": "parse_stream"
}
],
"repo": "http://github.com/toddr/XML-Parser",
"vendor": "TODDR",
"versions": [
{
"lessThanOrEqual": "2.45",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes.\n\nA :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML input buffer because Perl\u0027s read() returns decoded characters while SvPV() gives back multi-byte UTF-8 bytes that can exceed the pre-allocated buffer size. This can cause heap corruption (double free or corruption) and crashes."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-176",
"description": "CWE-176 Improper Handling of Unicode Encoding",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-21T11:43:43.607Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://rt.cpan.org/Ticket/Display.html?id=19859"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/cpan-authors/XML-Parser/issues/64"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TODDR/XML-Parser-2.46/changes"
},
{
"tags": [
"patch"
],
"url": "https://github.com/cpan-authors/XML-Parser/commit/56b0509dfc6b559cd7555ea81ee62e3622069255.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "Apply the patch that has been publicly available since 2006-06-13 or upgrade to version 2.46 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2006-06-13T00:00:00.000Z",
"value": "Issue logged in Request Tracker for XML::Parser"
},
{
"lang": "en",
"time": "2006-08-11T00:00:00.000Z",
"value": "Patch provided in Request Tracker for XML::Parser"
},
{
"lang": "en",
"time": "2019-09-24T00:00:00.000Z",
"value": "Issue migrated to github issue tracker"
},
{
"lang": "en",
"time": "2019-09-24T00:00:00.000Z",
"value": "Patch provided in github issue tracker"
},
{
"lang": "en",
"time": "2019-09-24T00:00:00.000Z",
"value": "Included in release 2.46 released to CPAN"
}
],
"title": "XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes",
"workarounds": [
{
"lang": "en",
"value": "Apply the patch that has been publicly available since 2006-06-13."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2006-10002",
"datePublished": "2026-03-19T11:03:46.888Z",
"dateReserved": "2026-03-16T22:47:45.685Z",
"dateUpdated": "2026-03-22T23:06:42.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4177 (GCVE-0-2026-4177)
Vulnerability from cvelistv5 – Published: 2026-03-16 22:30 – Updated: 2026-03-17 14:04
VLAI?
Title
YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter
Summary
YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter.
The heap overflow occurs when class names exceed the initial 512-byte allocation.
The base64 decoder could read past the buffer end on trailing newlines.
strtok mutated n->type_id in place, corrupting shared node data.
A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.
Severity ?
9.1 (Critical)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TODDR | YAML::Syck |
Affected:
0 , ≤ 1.36
(custom)
|
Credits
Todd Rinaldo
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-17T01:34:04.213Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/16/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T14:04:29.127464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T14:04:53.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "YAML-Syck",
"product": "YAML::Syck",
"programFiles": [
"emitter.c",
"handler.c",
"perl_common.h",
"perl_syck.h"
],
"programRoutines": [
{
"name": "YAML::Syck::yaml_syck_emitter_handler()"
},
{
"name": "YAML::Syck::syck_base64dec()"
},
{
"name": "YAML::Syck::yaml_syck_parser_handler()"
},
{
"name": "YAML::Syck::syck_hdlr_add_anchor()"
}
],
"repo": "https://github.com/cpan-authors/YAML-Syck",
"vendor": "TODDR",
"versions": [
{
"lessThanOrEqual": "1.36",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Todd Rinaldo"
}
],
"descriptions": [
{
"lang": "en",
"value": "YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter.\n\nThe heap overflow occurs when class names exceed the initial 512-byte allocation.\n\nThe base64 decoder could read past the buffer end on trailing newlines.\n\nstrtok mutated n-\u003etype_id in place, corrupting shared node data.\n\nA memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string \u0027a\u0027 was leaked on early return."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T22:30:25.367Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/cpan-authors/YAML-Syck/commit/e8844a31c8cf0052914b198fc784ed4e6b8ae69e.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TODDR/YAML-Syck-1.37_01/changes#L21"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 1.37 or higher."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-4177",
"datePublished": "2026-03-16T22:30:25.367Z",
"dateReserved": "2026-03-14T19:36:56.710Z",
"dateUpdated": "2026-03-17T14:04:53.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30910 (GCVE-0-2026-30910)
Vulnerability from cvelistv5 – Published: 2026-03-08 00:54 – Updated: 2026-03-10 13:42
VLAI?
Title
Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows
Summary
Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows.
Combined aead encryption, combined signature creation, and bin2hex functions do not check that output size will be less than SIZE_MAX, which could lead to integer wraparound causing an undersized output buffer. This can cause a crash in bin2hex and encryption algorithms other than aes256gcm. For aes256gcm encryption and signatures, an undersized buffer could lead to buffer overflow.
Encountering this issue is unlikely as the message length would need to be very large.
For bin2hex the input size would have to be > SIZE_MAX / 2 For aegis encryption the input size would need to be > SIZE_MAX - 32U For other encryption the input size would need to be > SIZE_MAX - 16U For signatures the input size would need to be > SIZE_MAX - 64U
Severity ?
7.5 (High)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IAMB | Crypt::Sodium::XS |
Affected:
0 , ≤ 0.001000
(custom)
|
Credits
Brad Barden <perlmodules@5c30.org>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-08T04:33:15.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/08/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-30910",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T13:42:36.397541Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T13:42:58.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Crypt-Sodium-XS",
"product": "Crypt::Sodium::XS",
"programFiles": [
"inc/aead.xs",
"inc/sign.xs",
"inc/util.xs"
],
"vendor": "IAMB",
"versions": [
{
"lessThanOrEqual": "0.001000",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Brad Barden \u003cperlmodules@5c30.org\u003e"
}
],
"descriptions": [
{
"lang": "en",
"value": "Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows.\n\nCombined aead encryption, combined signature creation, and bin2hex functions do not check that output size will be less than SIZE_MAX, which could lead to integer wraparound causing an undersized output buffer. This can cause a crash in bin2hex and encryption algorithms other than aes256gcm. For aes256gcm encryption and signatures, an undersized buffer could lead to buffer overflow.\n\nEncountering this issue is unlikely as the message length would need to be very large.\n\nFor bin2hex the input size would have to be \u003e SIZE_MAX / 2 For aegis encryption the input size would need to be \u003e SIZE_MAX - 32U For other encryption the input size would need to be \u003e SIZE_MAX - 16U For signatures the input size would need to be \u003e SIZE_MAX - 64U"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-08T00:54:56.404Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/IAMB/Crypt-Sodium-XS-0.001001/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 0.001001"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-30910",
"datePublished": "2026-03-08T00:54:56.404Z",
"dateReserved": "2026-03-07T13:09:20.641Z",
"dateUpdated": "2026-03-10T13:42:58.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30909 (GCVE-0-2026-30909)
Vulnerability from cvelistv5 – Published: 2026-03-08 00:46 – Updated: 2026-03-10 13:41
VLAI?
Title
Crypt::NaCl::Sodium versions through 2.002 for Perl has potential integer overflows
Summary
Crypt::NaCl::Sodium versions through 2.002 for Perl has potential integer overflows.
bin2hex, encrypt, aes256gcm_encrypt_afternm and seal functions do not check that output size will be less than SIZE_MAX, which could lead to integer wraparound causing an undersized output buffer.
Encountering this issue is unlikely as the message length would need to be very large.
For bin2hex() the bin_len would have to be > SIZE_MAX / 2 For encrypt() the msg_len would need to be > SIZE_MAX - 16U For aes256gcm_encrypt_afternm() the msg_len would need to be > SIZE_MAX - 16U For seal() the enc_len would need to be > SIZE_MAX - 64U
Severity ?
9.8 (Critical)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TIMLEGGE | Crypt::NaCl::Sodium |
Affected:
0 , ≤ 2.002
(custom)
|
Credits
Brad Barden <perlmodules@5c30.org>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-08T04:33:14.855Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/08/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-30909",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T13:40:18.499636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T13:41:14.273Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Crypt-NaCl-Sodium",
"product": "Crypt::NaCl::Sodium",
"programFiles": [
"Sodium.xs"
],
"repo": "https://github.com/cpan-authors/crypt-nacl-sodium",
"vendor": "TIMLEGGE",
"versions": [
{
"lessThanOrEqual": "2.002",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Brad Barden \u003cperlmodules@5c30.org\u003e"
}
],
"descriptions": [
{
"lang": "en",
"value": "Crypt::NaCl::Sodium versions through 2.002 for Perl has potential integer overflows.\n\nbin2hex, encrypt, aes256gcm_encrypt_afternm and seal functions do not check that output size will be less than SIZE_MAX, which could lead to integer wraparound causing an undersized output buffer.\n\nEncountering this issue is unlikely as the message length would need to be very large.\n\nFor bin2hex() the bin_len would have to be \u003e SIZE_MAX / 2 For encrypt() the msg_len would need to be \u003e SIZE_MAX - 16U For aes256gcm_encrypt_afternm() the msg_len would need to be \u003e SIZE_MAX - 16U For seal() the enc_len would need to be \u003e SIZE_MAX - 64U"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-08T00:46:12.862Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-NaCl-Sodium-2.002/source/Sodium.xs#L2116"
},
{
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-NaCl-Sodium-2.002/source/Sodium.xs#L2310"
},
{
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-NaCl-Sodium-2.002/source/Sodium.xs#L3304"
},
{
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-NaCl-Sodium-2.002/source/Sodium.xs#L942"
},
{
"tags": [
"patch"
],
"url": "https://github.com/cpan-authors/crypt-nacl-sodium/pull/24.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-NaCl-Sodium-2.003/source/Changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 2.003"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Crypt::NaCl::Sodium versions through 2.002 for Perl has potential integer overflows",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-30909",
"datePublished": "2026-03-08T00:46:12.862Z",
"dateReserved": "2026-03-07T13:09:20.640Z",
"dateUpdated": "2026-03-10T13:41:14.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-57854 (GCVE-0-2024-57854)
Vulnerability from cvelistv5 – Published: 2026-03-05 02:18 – Updated: 2026-03-05 16:41
VLAI?
Title
Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator
Summary
Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator.
Version v0.003 switched to use Data::Rand::Obscure instead of Crypt::Random for generation of a random initialisation vectors.
Data::Rand::Obscure uses Perl's built-in rand() function, which is not suitable for cryptographic functions.
Severity ?
9.1 (Critical)
CWE
- CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| DOUGDUDE | Net::NSCA::Client |
Affected:
0 , ≤ 0.009002
(custom)
|
Credits
Robert Rothenberg
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-05T11:12:50.673Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/05/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-57854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-05T16:40:27.714179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:41:19.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-NSCA-Client",
"product": "Net::NSCA::Client",
"programFiles": [
"lib/Net/NSCA/Client/InitialPacket.pm"
],
"programRoutines": [
{
"name": "_build_initialization_vector"
}
],
"repo": "https://github.com/dougwilson/perl5-net-nsca-client",
"vendor": "DOUGDUDE",
"versions": [
{
"lessThanOrEqual": "0.009002",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Rothenberg"
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator.\n\nVersion v0.003 switched to use Data::Rand::Obscure instead of Crypt::Random for generation of a random initialisation vectors.\n\nData::Rand::Obscure uses Perl\u0027s built-in rand() function, which is not suitable for cryptographic functions."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T02:18:25.951Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/DOUGDUDE/Net-NSCA-Client-0.009002/source/lib/Net/NSCA/Client/InitialPacket.pm#L119"
},
{
"tags": [
"patch"
],
"url": "https://patch-diff.githubusercontent.com/raw/dougwilson/perl5-net-nsca-client/pull/2.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "Apply a manual patch or migrate to a different solution"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-57854",
"datePublished": "2026-03-05T02:18:25.951Z",
"dateReserved": "2025-03-26T14:00:56.392Z",
"dateUpdated": "2026-03-05T16:41:19.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40931 (GCVE-0-2025-40931)
Vulnerability from cvelistv5 – Published: 2026-03-05 01:41 – Updated: 2026-04-12 17:19
VLAI?
Title
Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id
Summary
Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id.
Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.
Note that the libapache-session-perl package in some Debian-based Linux distributions may be patched to use Crypt::URandom.
Severity ?
9.1 (Critical)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CHORNY | Apache::Session::Generate::MD5 |
Affected:
0 , ≤ 1.94
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-05T11:12:52.118Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/05/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-40931",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-05T16:38:07.301789Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T14:59:01.628Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Apache-Session",
"product": "Apache::Session::Generate::MD5",
"programFiles": [
"lib/Session/Generate/MD5.pm"
],
"repo": "https://github.com/chorny/Apache-Session",
"vendor": "CHORNY",
"versions": [
{
"lessThanOrEqual": "1.94",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id.\n\nApache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.\n\nNote that the libapache-session-perl package in some Debian-based Linux distributions may be patched to use Crypt::URandom."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-340",
"description": "CWE-340 Generation of Predictable Numbers or Identifiers",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-12T17:19:38.170Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/dist/Apache-Session/source/lib/Apache/Session/Generate/MD5.pm#L27"
},
{
"tags": [
"technical-description"
],
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/chorny/Apache-Session/issues/4"
},
{
"tags": [
"issue-tracking"
],
"url": "https://rt.cpan.org/Ticket/Display.html?id=173631"
},
{
"tags": [
"mailing-list"
],
"url": "https://www.openwall.com/lists/oss-security/2019/06/15/1"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930659"
},
{
"tags": [
"patch"
],
"url": "https://salsa.debian.org/perl-team/modules/packages/libapache-session-perl/-/commit/bdabd71c2f91b18526e31a9dc52b4c17b3d246b7#898a4b8b00022df1b8689910b67707f3e738d180"
},
{
"tags": [
"issue-tracking"
],
"url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/work_items/1633"
},
{
"url": "https://metacpan.org/pod/Apache::Session::Generate::Random"
}
],
"solutions": [
{
"lang": "en",
"value": "Consider alternate solutions like https://metacpan.org/pod/Apache::Session::Generate::Random"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2017-10-06T00:00:00.000Z",
"value": "Issue created in the GitHub repository for Apache-Session identifying poor entropy."
},
{
"lang": "en",
"time": "2019-06-15T00:00:00.000Z",
"value": "Report posted to the Open Source Security mailing list."
},
{
"lang": "en",
"time": "2019-06-17T00:00:00.000Z",
"value": "Debian bug 930659 for libapache-session-perl poor source of entropy for session id generation."
},
{
"lang": "en",
"time": "2019-06-20T00:00:00.000Z",
"value": "Patch to use Crypt::URandom created by the Debian Perl Group."
},
{
"lang": "en",
"time": "2025-09-04T00:00:00.000Z",
"value": "Issue reported to CPANSec."
},
{
"lang": "en",
"time": "2026-03-05T00:00:00.000Z",
"value": "CVE disclosed by CPANSec."
}
],
"title": "Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id",
"workarounds": [
{
"lang": "en",
"value": "Apply the patch from the Debian Perl Group that uses Crypt::URandom."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-40931",
"datePublished": "2026-03-05T01:41:09.588Z",
"dateReserved": "2025-04-16T09:05:34.363Z",
"dateUpdated": "2026-04-12T17:19:38.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3257 (GCVE-0-2026-3257)
Vulnerability from cvelistv5 – Published: 2026-03-05 01:35 – Updated: 2026-03-05 16:34
VLAI?
Title
UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library
Summary
UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library.
UnQLite for Perl embeds the UnQLite library. Version 0.06 and earlier of the Perl module uses a version of the library from 2014 that may be vulnerable to a heap-based overflow.
Severity ?
9.8 (Critical)
CWE
- CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3257",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-05T16:33:50.730722Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:34:39.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "UnQLite",
"product": "UnQLite",
"programFiles": [
"unqlite/unqlite.c"
],
"repo": "https://github.com/tokuhirom/UnQLite",
"vendor": "TOKUHIROM",
"versions": [
{
"lessThanOrEqual": "0.06",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library.\n\nUnQLite for Perl embeds the UnQLite library. Version 0.06 and earlier of the Perl module uses a version of the library from 2014 that may be vulnerable to a heap-based overflow."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T01:35:12.789Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TOKUHIROM/UnQLite-0.07/source/Changes"
},
{
"tags": [
"vendor-advisory",
"related",
"vdb-entry"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2025-3791"
},
{
"url": "https://unqlite.symisc.net/"
}
],
"solutions": [
{
"lang": "en",
"value": "UnQLite for Perl has been deprecated since version 0.06. Migrate to a different solution."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to UnQLite for Perl version 0.07 or later."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-3257",
"datePublished": "2026-03-05T01:35:12.789Z",
"dateReserved": "2026-02-26T12:04:48.010Z",
"dateUpdated": "2026-03-05T16:34:39.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3381 (GCVE-0-2026-3381)
Vulnerability from cvelistv5 – Published: 2026-03-05 01:28 – Updated: 2026-03-11 15:00
VLAI?
Title
Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib
Summary
Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib.
Compress::Raw::Zlib includes a copy of the zlib library. Compress::Raw::Zlib version 2.220 includes zlib 1.3.2, which addresses findings fron the 7ASecurity audit of zlib. The includes fixs for CVE-2026-27171.
Severity ?
9.8 (Critical)
CWE
- CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PMQS | Compress::Raw::Zlib |
Affected:
0 , ≤ 2.219
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-05T16:31:41.264640Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:00:11.466Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Compress-Raw-Zlib",
"product": "Compress::Raw::Zlib",
"repo": "https://github.com/pmqs/Compress-Raw-Zlib",
"vendor": "PMQS",
"versions": [
{
"lessThanOrEqual": "2.219",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib.\n\nCompress::Raw::Zlib includes a copy of the zlib library. Compress::Raw::Zlib version 2.220 includes zlib 1.3.2, which addresses findings fron the 7ASecurity audit of zlib. The includes fixs for CVE-2026-27171."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T15:44:59.956Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/PMQS/Compress-Raw-Zlib-2.221/source/Changes"
},
{
"url": "https://www.zlib.net/"
},
{
"url": "https://github.com/madler/zlib"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/madler/zlib/releases/tag/v1.3.2"
},
{
"tags": [
"technical-description"
],
"url": "https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/"
},
{
"tags": [
"vendor-advisory",
"related",
"vdb-entry"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27171"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/pmqs/Compress-Raw-Zlib/issues/41"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Compress::Raw::Zlib 2.220 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-02-17T00:00:00.000Z",
"value": "zlib 1.3.2 released."
},
{
"lang": "en",
"time": "2026-02-27T00:00:00.000Z",
"value": "Compress::Raw::Zlib 2.220 released."
}
],
"title": "Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-3381",
"datePublished": "2026-03-05T01:28:48.062Z",
"dateReserved": "2026-02-28T09:24:49.085Z",
"dateUpdated": "2026-03-11T15:00:11.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40926 (GCVE-0-2025-40926)
Vulnerability from cvelistv5 – Published: 2026-03-05 01:24 – Updated: 2026-03-11 23:25
VLAI?
Title
Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely
Summary
Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely.
The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
Predictable session ids could allow an attacker to gain access to systems.
Plack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923.
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| KAZEBURO | Plack::Middleware::Session::Simple |
Affected:
0 , < 0.05
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-40926",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-05T16:28:14.069463Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:29:24.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Plack-Middleware-Session-Simple",
"product": "Plack::Middleware::Session::Simple",
"programFiles": [
"lib/Plack/Middleware/Session/Simple.pm"
],
"programRoutines": [
{
"name": "Plack::Middleware::Session::Simple::sid_generator"
}
],
"repo": "https://github.com/kazeburo/Plack-Middleware-Session-Simple",
"vendor": "KAZEBURO",
"versions": [
{
"lessThan": "0.05",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely.\n\nThe default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredictable session ids could allow an attacker to gain access to systems.\n\nPlack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-340",
"description": "CWE-340 Generation of Predictable Numbers or Identifiers",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T23:25:24.779Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/KAZEBURO/Plack-Middleware-Session-Simple-0.04/source/lib/Plack/Middleware/Session/Simple.pm#L43"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/kazeburo/Plack-Middleware-Session-Simple/pull/4"
},
{
"tags": [
"patch"
],
"url": "https://github.com/kazeburo/Plack-Middleware-Session-Simple/commit/760bb358b8f53e52cf415888a4ac858fd99bb24e.patch"
},
{
"tags": [
"vendor-advisory",
"related",
"vdb-entry"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40923"
},
{
"tags": [
"technical-description"
],
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/KAZEBURO/Plack-Middleware-Session-Simple-0.05/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Users are advised to upgrade to version 0.05 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely",
"workarounds": [
{
"lang": "en",
"value": "Users are advised to change the sid_generator attribute of Plack::Middleware::Session::Simple to a function that returns a securely generated session id based on a secure source of entropy from the system.\n\nUsers may consider using Plack::Middleware::Session version 0.35 or later."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-40926",
"datePublished": "2026-03-05T01:24:34.151Z",
"dateReserved": "2025-04-16T09:05:34.362Z",
"dateUpdated": "2026-03-11T23:25:24.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-25160 (GCVE-0-2018-25160)
Vulnerability from cvelistv5 – Published: 2026-02-27 20:15 – Updated: 2026-03-03 20:22
VLAI?
Title
HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend
Summary
HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend.
For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject memcached commands in the session id value.
Severity ?
6.5 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TOKUHIROM | HTTP::Session2 |
Affected:
0 , ≤ 1.09
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-02-28T00:15:29.050Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/02/27/13"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2018-25160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-03T20:22:03.246004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T20:22:20.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "HTTP-Session2",
"product": "HTTP::Session2",
"repo": "https://github.com/tokuhirom/HTTP-Session2",
"vendor": "TOKUHIROM",
"versions": [
{
"lessThanOrEqual": "1.09",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend.\n\nFor example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject memcached commands in the session id value."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T20:15:31.418Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/tokuhirom/HTTP-Session2/commit/813838f6d08034b6a265a70e53b59b941b5d3e6d.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.10/source/Changes"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/pod/Cache::Memcached::Fast::Safe"
}
],
"solutions": [
{
"lang": "en",
"value": "HTTP::Session2 has been deprecated since version 1.11, users are recommended to migrate to a different solution."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2018-01-26T00:00:00.000Z",
"value": "version 1.10 HTTP::Session2 released with fix."
},
{
"lang": "en",
"time": "2026-02-24T00:00:00.000Z",
"value": "version 1.11 HTTP::Session2 deprecated."
}
],
"title": "HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to version 1.10 or later.\n\nUse a session storage module that offers protection against command injections, such as Cache::Memcached::Fast::Safe."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2018-25160",
"datePublished": "2026-02-27T20:15:31.418Z",
"dateReserved": "2026-02-26T11:50:05.854Z",
"dateUpdated": "2026-03-03T20:22:20.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3255 (GCVE-0-2026-3255)
Vulnerability from cvelistv5 – Published: 2026-02-27 20:12 – Updated: 2026-03-03 20:23
VLAI?
Title
HTTP::Session2 versions before 1.12 for Perl may generate weak session ids using the rand() function
Summary
HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function.
The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage.
HTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above.
Severity ?
6.5 (Medium)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TOKUHIROM | HTTP::Session2 |
Affected:
0 , < 1.12
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-02-28T00:15:39.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/02/27/12"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-03T20:23:27.914632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T20:23:53.160Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "HTTP-Session2",
"product": "HTTP::Session2",
"repo": "https://github.com/tokuhirom/HTTP-Session2",
"vendor": "TOKUHIROM",
"versions": [
{
"lessThan": "1.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function.\n\nThe HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage.\n\nHTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-340",
"description": "CWE-340 Generation of Predictable Numbers or Identifiers",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T20:12:35.414Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.11/source/lib/HTTP/Session2/Random.pm#L35"
},
{
"url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.01/source/lib/HTTP/Session2/ServerStore.pm#L68"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.12/changes"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tokuhirom/HTTP-Session2/commit/9cfde4d7e0965172aef5dcfa3b03bb48df93e636.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "HTTP::Session2 has been deprecated since version 1.11. Migrate to a different solution."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2014-07-31T00:00:00.000Z",
"value": "version 1.02 HTTP::Session2 released that attempts to use /dev/urandom."
},
{
"lang": "en",
"time": "2026-02-24T00:00:00.000Z",
"value": "version 1.11 HTTP::Session2 deprecated"
},
{
"lang": "en",
"time": "2026-02-26T00:00:00.000Z",
"value": "version 1.12 HTTP::Session2 released with a fix with a portable solution."
}
],
"title": "HTTP::Session2 versions before 1.12 for Perl may generate weak session ids using the rand() function",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to version 1.12 or later."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-3255",
"datePublished": "2026-02-27T20:12:35.414Z",
"dateReserved": "2026-02-26T11:43:17.278Z",
"dateUpdated": "2026-03-03T20:23:53.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-4456 (GCVE-0-2021-4456)
Vulnerability from cvelistv5 – Published: 2026-02-27 00:16 – Updated: 2026-02-27 16:53
VLAI?
Title
Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact
Summary
Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact.
The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses.
The documentation advises validating untrusted CIDR strings with the `cidrvalidate` function. However, this mitigation is optional and not enforced by default. In practice, users may call `addr2cidr` or `cidrlookup` with untrusted input and without validation, incorrectly assuming that this is safe.
Severity ?
6.5 (Medium)
CWE
- CWE-704 - Incorrect Type Conversion or Cast
Assigner
References
| URL | Tags | |
|---|---|---|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-4456",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T16:52:58.903437Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T16:53:23.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-CIDR",
"product": "Net::CIDR",
"programRoutines": [
{
"name": "addr2cidr"
},
{
"name": "cidrlookup"
}
],
"repo": "https://github.com/svarshavchik/Net-CIDR",
"vendor": "MRSAM",
"versions": [
{
"lessThan": "0.24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact.\n\nThe functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses.\n\nThe documentation advises validating untrusted CIDR strings with the `cidrvalidate` function. However, this mitigation is optional and not enforced by default. In practice, users may call `addr2cidr` or `cidrlookup` with untrusted input and without validation, incorrectly assuming that this is safe."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-704",
"description": "CWE-704 Incorrect Type Conversion or Cast",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T00:16:36.383Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"related"
],
"url": "https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/svarshavchik/Net-CIDR/commit/e3648c6bc6bdd018f90cca4149c467017d42bd10"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/dist/Net-CIDR/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Use the `cidrvalidate` function on untrusted input before passing to the affected functions or upgrade to version 0.24 or later"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2021-4456",
"datePublished": "2026-02-27T00:16:36.383Z",
"dateReserved": "2025-05-18T22:36:11.463Z",
"dateUpdated": "2026-02-27T16:53:23.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40932 (GCVE-0-2025-40932)
Vulnerability from cvelistv5 – Published: 2026-02-26 23:33 – Updated: 2026-02-27 18:41
VLAI?
Title
Apache::SessionX versions through 2.01 for Perl create insecure session id
Summary
Apache::SessionX versions through 2.01 for Perl create insecure session id.
Apache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.
Severity ?
8.2 (High)
CWE
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| GRICHTER | Apache::SessionX |
Affected:
0 , ≤ 2.01
(custom)
|
Credits
Robert Rothenberg
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-40932",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:39:16.068005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:41:24.407Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Apache-SessionX",
"product": "Apache::SessionX",
"programFiles": [
"lib/SessionX/Generate/MD5.pm"
],
"vendor": "GRICHTER",
"versions": [
{
"lessThanOrEqual": "2.01",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Rothenberg"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache::SessionX versions through 2.01 for Perl create insecure session id.\n\nApache::SessionX generates session ids insecurely. The default session id generator in Apache::SessionX::Generate::MD5 returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-340",
"description": "CWE-340 Generation of Predictable Numbers or Identifiers",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T23:33:37.083Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/GRICHTER/Apache-SessionX-2.01/source/SessionX/Generate/MD5.pm#L29"
}
],
"solutions": [
{
"lang": "en",
"value": "Consider alternate solutions like https://metacpan.org/pod/Apache::SessionX::Generate::Random"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache::SessionX versions through 2.01 for Perl create insecure session id",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-40932",
"datePublished": "2026-02-26T23:33:37.083Z",
"dateReserved": "2025-04-16T09:05:34.363Z",
"dateUpdated": "2026-02-27T18:41:24.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2597 (GCVE-0-2026-2597)
Vulnerability from cvelistv5 – Published: 2026-02-26 23:29 – Updated: 2026-02-27 18:50
VLAI?
Title
Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes()
Summary
Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes().
The function does not validate that the length parameter is non-negative. If a negative value (e.g. -1) is supplied, the expression length + 1u causes an integer wraparound, resulting in a zero-byte allocation. The subsequent call to chosen random function (e.g. getrandom) passes the original negative value, which is implicitly converted to a large unsigned value (typically SIZE_MAX). This can result in writes beyond the allocated buffer, leading to heap memory corruption and application crash (denial of service).
In common usage, the length argument is typically hardcoded by the caller, which reduces the likelihood of attacker-controlled exploitation. Applications that pass untrusted input to this parameter may be affected.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LEONT | Crypt::SysRandom::XS |
Affected:
0 , < 0.010
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-2597",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:50:03.345736Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:50:46.353Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Crypt-SysRandom-XS",
"product": "Crypt::SysRandom::XS",
"programFiles": [
"lib/Crypt/SysRandom/XS.xs"
],
"programRoutines": [
{
"name": "random_bytes()"
}
],
"repo": "https://github.com/Leont/crypt-sysrandom-xs",
"vendor": "LEONT",
"versions": [
{
"lessThan": "0.010",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes().\n\nThe function does not validate that the length parameter is non-negative. If a negative value (e.g. -1) is supplied, the expression length + 1u causes an integer wraparound, resulting in a zero-byte allocation. The subsequent call to chosen random function (e.g. getrandom) passes the original negative value, which is implicitly converted to a large unsigned value (typically SIZE_MAX). This can result in writes beyond the allocated buffer, leading to heap memory corruption and application crash (denial of service).\n\nIn common usage, the length argument is typically hardcoded by the caller, which reduces the likelihood of attacker-controlled exploitation. Applications that pass untrusted input to this parameter may be affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284 Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T23:29:16.488Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/dist/Crypt-SysRandom-XS/changes"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/LEONT/Crypt-SysRandom-XS-0.011/source/lib/Crypt/SysRandom/XS.xs#L51-52"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 0.010 or later"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes()",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-2597",
"datePublished": "2026-02-26T23:29:16.488Z",
"dateReserved": "2026-02-16T20:27:02.194Z",
"dateUpdated": "2026-02-27T18:50:46.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-58041 (GCVE-0-2024-58041)
Vulnerability from cvelistv5 – Published: 2026-02-23 23:54 – Updated: 2026-02-24 16:41
VLAI?
Title
Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions
Summary
Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions.
Smolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
Specifically Smolder::DB::Developer uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
Severity ?
9.1 (Critical)
CWE
- CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Assigner
References
Credits
Robert Rothenberg (RRWO)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58041",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T16:41:10.683807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T16:41:35.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Smolder",
"product": "Smolder",
"programFiles": [
"lib/Smolder/DB/Developer.pm"
],
"vendor": "WONKO",
"versions": [
{
"lessThanOrEqual": "1.51",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Rothenberg (RRWO)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions.\n\nSmolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\n\nSpecifically Smolder::DB::Developer uses the Data::Random library which specifically states that it is \"Useful mostly for test programs\". Data::Random uses the rand() function."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T23:54:23.396Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://perldoc.perl.org/functions/rand"
},
{
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"url": "https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537"
},
{
"url": "https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L5"
},
{
"url": "https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L221"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-58041",
"datePublished": "2026-02-23T23:54:23.396Z",
"dateReserved": "2025-03-26T14:00:56.432Z",
"dateUpdated": "2026-02-24T16:41:35.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2588 (GCVE-0-2026-2588)
Vulnerability from cvelistv5 – Published: 2026-02-22 23:31 – Updated: 2026-02-23 18:47
VLAI?
Title
Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems
Summary
Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems.
Sodium.xs casts a STRLEN (size_t) to unsigned long long when passing a length pointer to libsodium functions. On 32-bit systems size_t is typically 32-bits while an unsigned long long is at least 64-bits.
Severity ?
9.1 (Critical)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TIMLEGGE | Crypt::NaCl::Sodium |
Affected:
0 , ≤ 2.001
(custom)
|
Credits
Timothy Legge (timlegge)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-2588",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-23T18:46:11.334461Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T18:47:51.202Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Crypt-NaCl-Sodium",
"product": "Crypt::NaCl::Sodium",
"programFiles": [
"Sodium.xs"
],
"repo": "https://github.com/cpan-authors/crypt-nacl-sodium",
"vendor": "TIMLEGGE",
"versions": [
{
"lessThanOrEqual": "2.001",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Timothy Legge (timlegge)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems.\n\nSodium.xs casts a STRLEN (size_t) to unsigned long long when passing a length pointer to libsodium functions. On 32-bit systems size_t is typically 32-bits while an unsigned long long is at least 64-bits."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-22T23:31:19.720Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-NaCl-Sodium-2.001/source/Sodium.xs#L2119"
},
{
"tags": [
"patch"
],
"url": "https://github.com/cpan-authors/crypt-nacl-sodium/commit/8cf7f66ba922443e131c9deae1ee00fafe4f62e4.patch"
},
{
"tags": [
"patch"
],
"url": "https://github.com/cpan-authors/crypt-nacl-sodium/commit/557388bdb4da416a56663cda0154b80cd524395c.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 2.002"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-2588",
"datePublished": "2026-02-22T23:31:19.720Z",
"dateReserved": "2026-02-16T14:52:54.157Z",
"dateUpdated": "2026-02-23T18:47:51.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}