Severity by source
Sources disagree (Medium–Critical)AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely.
The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID.
These are predictable or low-entropy sources that are unsuitable for security purposes.
Analysis
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mojolicious
View allMojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC sessio
CSRF session hijacking in Mojolicious::Plugin::Web::Auth::OAuth2 through version 0.17 for Perl stems from a predictable
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: CriticalShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37926
GHSA-3m67-fq74-f4qg