CVE-2026-9692

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://metacpan.org/release/HAYAJO/Mojolicious-Plugin-SessionStore-0.05/source/lib/Mojolicious/Sessions/Storable.pm#L11-15
https://security.metacpan.org/docs/guides/random-data-for-security.html
https://security.metacpan.org/patches/M/Mojolicious-Plugin-SessionStore/0.05/CVE-2026-9692-r1.patch
https://www.cve.org/CVERecord?id=CVE-2025-40923

Configurations

No configuration.

History

18 Jun 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-18 19:16

Updated : 2026-06-18 20:16

NVD link : CVE-2026-9692

Mitre link : CVE-2026-9692

CVE.ORG link : CVE-2026-9692

JSON object : View

Products Affected

No product.

CWE

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CWE-340

Generation of Predictable Numbers or Identifiers

{"id": "CVE-2026-9692", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-9692", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-18T18:47:24.948872Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "affected": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "affectedData": [{"repo": "https://github.com/hayajo/Mojolicious-Plugin-SessionStore", "vendor": "HAYAJO", "product": "Mojolicious::Sessions::Storable", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "0.05"}], "packageName": "Mojolicious-Plugin-SessionStore", "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "programRoutines": [{"name": "Mojolicious::Sessions::Storable#sid_generator"}]}]}], "published": "2026-06-18T19:16:23.790", "references": [{"url": "https://metacpan.org/release/HAYAJO/Mojolicious-Plugin-SessionStore-0.05/source/lib/Mojolicious/Sessions/Storable.pm#L11-15", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://security.metacpan.org/patches/M/Mojolicious-Plugin-SessionStore/0.05/CVE-2026-9692-r1.patch", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-40923", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}], "vulnStatus": "Received", "weaknesses": [{"type": "Secondary", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "description": [{"lang": "en", "value": "CWE-338"}, {"lang": "en", "value": "CWE-340"}]}], "descriptions": [{"lang": "en", "value": "Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely.\n\nThe default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID.\n\nThese are predictable or low-entropy sources that are unsuitable for security purposes."}], "lastModified": "2026-06-18T20:16:15.497", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}