CVE-2026-9692
MEDIUM EPSS 19.1%
Published Jun 18, 20261w ago · Modified Jun 22, 20261w ago
5.3 CVSS 3.1
Published Jun 18, 2026 1w ago
Last Modified Jun 22, 2026 1w ago
Description
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
19.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 2
CWE-338
CWE-340
References 4
- metacpan.org https://metacpan.org/release/HAYAJO/Mojolicious-Plugin-SessionStore-0.05/source/lib/Mojolicious/Sessions/Storable.pm#L11-15
- security.metacpan.org https://security.metacpan.org/docs/guides/random-data-for-security.html
- security.metacpan.org https://security.metacpan.org/patches/M/Mojolicious-Plugin-SessionStore/0.05/CVE-2026-9692-r1.patch
- cve.org https://www.cve.org/CVERecord?id=CVE-2025-40923
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.