CVE-2026-9692

MEDIUM EPSS 19.1%
Published Jun 18, 20261w ago · Modified Jun 22, 20261w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Jun 18, 2026 1w ago
Last Modified Jun 22, 2026 1w ago

Description

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes.

CVSS Details

Base Score
5.3
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
19.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-338
CWE-340

References 4

  • metacpan.org https://metacpan.org/release/HAYAJO/Mojolicious-Plugin-SessionStore-0.05/source/lib/Mojolicious/Sessions/Storable.pm#L11-15
  • security.metacpan.org https://security.metacpan.org/docs/guides/random-data-for-security.html
  • security.metacpan.org https://security.metacpan.org/patches/M/Mojolicious-Plugin-SessionStore/0.05/CVE-2026-9692-r1.patch
  • cve.org https://www.cve.org/CVERecord?id=CVE-2025-40923

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.