Skip to main content

Cgi CVE-2026-56016

| EUVDEUVD-2026-40927 MEDIUM
Generation of Predictable Numbers or Identifiers (CWE-340)
2026-07-01 CPANSec GHSA-r49c-4q8x-x33v
5.9
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from Vendor (CPANSec) · only source for this CVE.

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 09:01 EUVD
CVE Published
Jul 01, 2026 - 06:46 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources.

The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible.

An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.

Analysis

CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56016 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy