Search

Find a vulnerability

Search criteria

    4 vulnerabilities by HAARG

    CVE-2026-7010 (GCVE-0-2026-7010)

    Vulnerability from nvd – Published: 2026-05-11 21:14 – Updated: 2026-05-12 14:45
    VLAI
    Title
    HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values
    Summary
    HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
    Assigner
    Impacted products
    Vendor Product Version
    HAARG HTTP::Tiny Affected: 0 , < 0.093 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-05-11T23:19:47.588Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/05/11/17"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7010",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T14:43:55.536998Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T14:45:06.662Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "HTTP-Tiny",
              "product": "HTTP::Tiny",
              "programFiles": [
                "lib/HTTP/Tiny.pm"
              ],
              "repo": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny",
              "vendor": "HAARG",
              "versions": [
                {
                  "lessThan": "0.093",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values.\n\nThe unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values.\n\nAn attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-113",
                  "description": "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T21:14:20.581Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d.patch"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://metacpan.org/release/HAARG/HTTP-Tiny-0.093-TRIAL/changes"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to HTTP-Tiny 0.093-TRIAL or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-25T00:00:00.000Z",
              "value": "Issue discovered."
            },
            {
              "lang": "en",
              "time": "2026-05-11T00:00:00.000Z",
              "value": "HTTP-Tiny 0.093-TRIAL published with fix."
            }
          ],
          "title": "HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values",
          "x_generator": {
            "engine": "cpansec-cna-tool 0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2026-7010",
        "datePublished": "2026-05-11T21:14:20.581Z",
        "dateReserved": "2026-04-25T09:18:30.030Z",
        "dateUpdated": "2026-05-12T14:45:06.662Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-40924 (GCVE-0-2025-40924)

    Vulnerability from nvd – Published: 2025-07-17 13:33 – Updated: 2025-07-17 19:53
    VLAI
    Title
    Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely
    Summary
    Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely. The session id is generated from a (usually SHA-1) hash of a simple counter, the epoch time, the built-in rand function, the PID and the current Catalyst context. This information is of low entropy. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-340 - Generation of Predictable Numbers or Identifiers
    • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator
    Assigner
    Impacted products
    Vendor Product Version
    HAARG Catalyst::Plugin::Session Affected: 0.01 , < 0.44 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-40924",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-17T19:51:00.779304Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-17T19:53:31.346Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "Catalyst-Plugin-Session",
              "product": "Catalyst::Plugin::Session",
              "repo": "https://github.com/perl-catalyst/Catalyst-Plugin-Session",
              "vendor": "HAARG",
              "versions": [
                {
                  "lessThan": "0.44",
                  "status": "affected",
                  "version": "0.01",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eCatalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely.\u003c/div\u003e\u003cdiv\u003eThe session id is generated from a (usually SHA-1) hash of a simple counter, the epoch time, the built-in rand function, the PID and the current Catalyst context. This information is of low entropy. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\u003c/div\u003e\u003cdiv\u003ePredicable session ids could allow an attacker to gain access to systems.\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely.\n\nThe session id is generated from a (usually SHA-1) hash of a simple counter, the epoch time, the built-in rand function, the PID and the current Catalyst context. This information is of low entropy. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredicable session ids could allow an attacker to gain access to systems."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-340",
                  "description": "CWE-340 Generation of Predictable Numbers or Identifiers",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-338",
                  "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-17T13:33:43.739Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "url": "https://metacpan.org/release/HAARG/Catalyst-Plugin-Session-0.43/source/lib/Catalyst/Plugin/Session.pm#L632"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/perl-catalyst/Catalyst-Plugin-Session/pull/5"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/perl-catalyst/Catalyst-Plugin-Session/commit/c0e2b4ab1e42ebce1008286db8c571b6ee98c22c.patch"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Users are advised to upgrade to Catalyst-Plugin-Session version 0.44 or later."
                }
              ],
              "value": "Users are advised to upgrade to Catalyst-Plugin-Session version 0.44 or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2025-40924",
        "datePublished": "2025-07-17T13:33:43.739Z",
        "dateReserved": "2025-04-16T09:05:34.362Z",
        "dateUpdated": "2025-07-17T19:53:31.346Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-7010 (GCVE-0-2026-7010)

    Vulnerability from cvelistv5 – Published: 2026-05-11 21:14 – Updated: 2026-05-12 14:45
    VLAI
    Title
    HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values
    Summary
    HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
    Assigner
    Impacted products
    Vendor Product Version
    HAARG HTTP::Tiny Affected: 0 , < 0.093 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-05-11T23:19:47.588Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/05/11/17"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7010",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T14:43:55.536998Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T14:45:06.662Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "HTTP-Tiny",
              "product": "HTTP::Tiny",
              "programFiles": [
                "lib/HTTP/Tiny.pm"
              ],
              "repo": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny",
              "vendor": "HAARG",
              "versions": [
                {
                  "lessThan": "0.093",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values.\n\nThe unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values.\n\nAn attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-113",
                  "description": "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T21:14:20.581Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d.patch"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://metacpan.org/release/HAARG/HTTP-Tiny-0.093-TRIAL/changes"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to HTTP-Tiny 0.093-TRIAL or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-25T00:00:00.000Z",
              "value": "Issue discovered."
            },
            {
              "lang": "en",
              "time": "2026-05-11T00:00:00.000Z",
              "value": "HTTP-Tiny 0.093-TRIAL published with fix."
            }
          ],
          "title": "HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values",
          "x_generator": {
            "engine": "cpansec-cna-tool 0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2026-7010",
        "datePublished": "2026-05-11T21:14:20.581Z",
        "dateReserved": "2026-04-25T09:18:30.030Z",
        "dateUpdated": "2026-05-12T14:45:06.662Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-40924 (GCVE-0-2025-40924)

    Vulnerability from cvelistv5 – Published: 2025-07-17 13:33 – Updated: 2025-07-17 19:53
    VLAI
    Title
    Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely
    Summary
    Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely. The session id is generated from a (usually SHA-1) hash of a simple counter, the epoch time, the built-in rand function, the PID and the current Catalyst context. This information is of low entropy. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-340 - Generation of Predictable Numbers or Identifiers
    • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator
    Assigner
    Impacted products
    Vendor Product Version
    HAARG Catalyst::Plugin::Session Affected: 0.01 , < 0.44 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-40924",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-17T19:51:00.779304Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-17T19:53:31.346Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "Catalyst-Plugin-Session",
              "product": "Catalyst::Plugin::Session",
              "repo": "https://github.com/perl-catalyst/Catalyst-Plugin-Session",
              "vendor": "HAARG",
              "versions": [
                {
                  "lessThan": "0.44",
                  "status": "affected",
                  "version": "0.01",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eCatalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely.\u003c/div\u003e\u003cdiv\u003eThe session id is generated from a (usually SHA-1) hash of a simple counter, the epoch time, the built-in rand function, the PID and the current Catalyst context. This information is of low entropy. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\u003c/div\u003e\u003cdiv\u003ePredicable session ids could allow an attacker to gain access to systems.\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely.\n\nThe session id is generated from a (usually SHA-1) hash of a simple counter, the epoch time, the built-in rand function, the PID and the current Catalyst context. This information is of low entropy. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredicable session ids could allow an attacker to gain access to systems."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-340",
                  "description": "CWE-340 Generation of Predictable Numbers or Identifiers",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-338",
                  "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-17T13:33:43.739Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "url": "https://metacpan.org/release/HAARG/Catalyst-Plugin-Session-0.43/source/lib/Catalyst/Plugin/Session.pm#L632"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/perl-catalyst/Catalyst-Plugin-Session/pull/5"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/perl-catalyst/Catalyst-Plugin-Session/commit/c0e2b4ab1e42ebce1008286db8c571b6ee98c22c.patch"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Users are advised to upgrade to Catalyst-Plugin-Session version 0.44 or later."
                }
              ],
              "value": "Users are advised to upgrade to Catalyst-Plugin-Session version 0.44 or later."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2025-40924",
        "datePublished": "2025-07-17T13:33:43.739Z",
        "dateReserved": "2025-04-16T09:05:34.362Z",
        "dateUpdated": "2025-07-17T19:53:31.346Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }