Skip to main content

GD::SecurityImage CVE-2026-13082

| EUVDEUVD-2026-45169 MEDIUM
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)
2026-07-17 CPANSec GHSA-p496-rgmp-v9mg
5.3
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
3.7 LOW

AV:N and PR:N are clear; AC:H reflects the need to observe multiple CAPTCHA outputs to reconstruct rand() seed before prediction succeeds.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jul 17, 2026 - 18:23 vuln.today
CVSS changed
Jul 17, 2026 - 18:22 NVD
5.3 (MEDIUM)
CVE Published
Jul 17, 2026 - 12:54 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

GD::SecurityImage versions through 1.75 for Perl use rand to generate secrets.

The random method creates the challenge text used for the CAPTCHA by sampling characters from an array using Perl's built-in rand function, and generates a (by default) six-character string.

The built-in rand function is unsuitable for security applications because it is predictable and reversible.

AnalysisAI

CAPTCHA bypass in GD::SecurityImage through version 1.75 for Perl stems from use of Perl's non-cryptographic rand() function to generate challenge text, making CAPTCHA tokens predictable and reversible by an unauthenticated network attacker. Any Perl web application relying on this library for bot protection is exposed to automated CAPTCHA solving, undermining form submission rate-limiting, account registration guards, and similar defenses. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target Perl app using GD::SecurityImage
Delivery
Request CAPTCHA endpoint repeatedly
Exploit
Collect challenge strings to model rand() state
Execution
Predict future CAPTCHA tokens
Persist
Submit automated requests with predicted tokens
Impact
Bypass bot protection

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Perl application uses GD::SecurityImage versions 0 through 1.75 to generate CAPTCHA challenges presented over a network interface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N reflects a moderate-severity integrity issue with no authentication barrier and low complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a Perl web application protected by GD::SecurityImage submits multiple requests to observe a sequence of CAPTCHA challenge strings, then uses the known-weak rand() PRNG algorithm to reconstruct the internal seed state. With the seed recovered, the attacker predicts all subsequent CAPTCHA tokens and scripts automated form submissions - for example, bulk account registrations or credential stuffing - without triggering the CAPTCHA defense. …
Remediation A patch file has been published by the vendor through the MetaCPAN security team at https://security.metacpan.org/patches/G/GD-SecurityImage/1.75/CVE-2026-13082-r1.patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13082 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy