How to fix CVE-2025-40926?

Within 24 hours: Identify all systems running Plack and document current versions in use. Within 7 days: Test and deploy the available vendor patch in a staging environment to validate compatibility with dependent applications. Within 30 days: Complete production rollout of patches across all affected systems and verify successful deployment.

Is Suse affected by CVE-2025-40926?

CVE-2025-40926 is a critical vulnerability in Plack that could allow attackers to gain unauthorized system access with a 9.8 CVSS severity rating.

CVE-2025-40926

CRITICAL

2026-03-05 9b29abf9-4ab0-4765-b253-1875cd9b441e

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

Patch Released

Mar 12, 2026 - 00:16 nvd

Patch available

CVE Published

Mar 05, 2026 - 02:16 nvd

CRITICAL 9.8

Description

Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predictable session ids could allow an attacker to gain access to systems. Plack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923.

Analysis

Insecure session ID generation in Plack::Middleware::Session::Simple before 0.05 for Perl. Patch available.

Technical Context

CWE-338.

Affected Products

['Plack::Middleware::Session::Simple < 0.05']

Remediation

Update.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +49

POC: 0

Vendor Status

CVE-2025-40926 vulnerability details – vuln.today

Back

CVE-2025-40926

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-40926

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code