Monthly
Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
Cryptographic weakness in Crypt::DSA for Perl versions before 1.20 allows remote attackers to predict DSA key material because seeds are generated with Perl's built-in rand() function instead of a cryptographically secure random source. Any DSA keys, signatures, or nonces produced by affected versions may be recoverable through brute-force or statistical analysis of the predictable PRNG state. No public exploit identified at time of analysis, and EPSS probability is negligible (0.01%), but the cryptographic primitive failure means all keys generated by vulnerable versions should be considered untrusted.
Insufficient entropy in Trog::TOTP for Perl (versions before 1.006) allows remote attackers to predict TOTP secrets generated using Perl's built-in rand() function, undermining the security of two-factor authentication tokens issued by applications relying on this module. The flaw was reported by CPANSec and a fixed release (1.006) is available on CPAN. No public exploit identified at time of analysis, and the EPSS score is very low (0.02%).
Insufficient randomness in DPA countermeasures within the SYMCRYPTO engine on Silicon Labs SixG301xxx devices enables physical attackers to extract cryptographic keys through side-channel analysis. The predictable countermeasure patterns eventually repeat, undermining differential power analysis (DPA) protections for Key Storage Unit (KSU) keys. While exploitation requires physical access and sophisticated equipment (CVSS 4.0 AV:P/AC:H), successful attacks achieve high confidentiality impact by recovering symmetric cryptographic keys. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS data is not available for this recently disclosed vulnerability.
Weak session token generation in Schneider Electric industrial protection relays and energy management systems allows remote attackers to hijack authenticated user sessions via network-based prediction attacks. Affects 36 product variants across Easergy MiCOM P30/P40/C264, PowerLogic P5/P7/T-series, EcoStruxure Power Automation/Operation platforms, and iPMFLS systems. CVSS 8.7 reflects high confidentiality and integrity impact with user interaction required. No active exploitation confirmed (not in CISA KEV), but authentication bypass via session prediction enables privilege escalation in critical infrastructure environments. EPSS data not provided - risk assessment relies on CVSS vector and operational technology context.
XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flooding protection, allowing crafted XML documents to trigger algorithmic complexity attacks (hash flooding) that degrade parser performance. Remote attackers can exploit this with complex XML payloads to cause denial of service. Mitigation requires both updating libexpat to 2.8.0 or later and applying the CPython patch, as confirmed by Python Software Foundation security advisory.
A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstax_auth session cookie and forge a new cookie with administrative privileges.This issue affects IStaX before 2026.03.
libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
Insufficient entropy in cookie encryption within Auth0 PHP SDK versions 8.0.0 through 8.18.x enables brute-force attacks against session cookie encryption keys, potentially allowing authenticated threat actors with network access to forge arbitrary session cookies and bypass authentication controls. Vendor-released patch available in version 8.19.0. No public exploit identified at time of analysis, though CVSS score of 8.2 reflects high severity due to potential for complete authentication bypass with cross-scope impact.
Telerik Ui For Asp.Net Ajax versions up to 2026.1.225 contains a vulnerability that allows attackers to collisions and file content tampering (CVSS 5.3).
Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
Cryptographic weakness in Crypt::DSA for Perl versions before 1.20 allows remote attackers to predict DSA key material because seeds are generated with Perl's built-in rand() function instead of a cryptographically secure random source. Any DSA keys, signatures, or nonces produced by affected versions may be recoverable through brute-force or statistical analysis of the predictable PRNG state. No public exploit identified at time of analysis, and EPSS probability is negligible (0.01%), but the cryptographic primitive failure means all keys generated by vulnerable versions should be considered untrusted.
Insufficient entropy in Trog::TOTP for Perl (versions before 1.006) allows remote attackers to predict TOTP secrets generated using Perl's built-in rand() function, undermining the security of two-factor authentication tokens issued by applications relying on this module. The flaw was reported by CPANSec and a fixed release (1.006) is available on CPAN. No public exploit identified at time of analysis, and the EPSS score is very low (0.02%).
Insufficient randomness in DPA countermeasures within the SYMCRYPTO engine on Silicon Labs SixG301xxx devices enables physical attackers to extract cryptographic keys through side-channel analysis. The predictable countermeasure patterns eventually repeat, undermining differential power analysis (DPA) protections for Key Storage Unit (KSU) keys. While exploitation requires physical access and sophisticated equipment (CVSS 4.0 AV:P/AC:H), successful attacks achieve high confidentiality impact by recovering symmetric cryptographic keys. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS data is not available for this recently disclosed vulnerability.
Weak session token generation in Schneider Electric industrial protection relays and energy management systems allows remote attackers to hijack authenticated user sessions via network-based prediction attacks. Affects 36 product variants across Easergy MiCOM P30/P40/C264, PowerLogic P5/P7/T-series, EcoStruxure Power Automation/Operation platforms, and iPMFLS systems. CVSS 8.7 reflects high confidentiality and integrity impact with user interaction required. No active exploitation confirmed (not in CISA KEV), but authentication bypass via session prediction enables privilege escalation in critical infrastructure environments. EPSS data not provided - risk assessment relies on CVSS vector and operational technology context.
XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flooding protection, allowing crafted XML documents to trigger algorithmic complexity attacks (hash flooding) that degrade parser performance. Remote attackers can exploit this with complex XML payloads to cause denial of service. Mitigation requires both updating libexpat to 2.8.0 or later and applying the CPython patch, as confirmed by Python Software Foundation security advisory.
A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstax_auth session cookie and forge a new cookie with administrative privileges.This issue affects IStaX before 2026.03.
libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
Insufficient entropy in cookie encryption within Auth0 PHP SDK versions 8.0.0 through 8.18.x enables brute-force attacks against session cookie encryption keys, potentially allowing authenticated threat actors with network access to forge arbitrary session cookies and bypass authentication controls. Vendor-released patch available in version 8.19.0. No public exploit identified at time of analysis, though CVSS score of 8.2 reflects high severity due to potential for complete authentication bypass with cross-scope impact.
Telerik Ui For Asp.Net Ajax versions up to 2026.1.225 contains a vulnerability that allows attackers to collisions and file content tampering (CVSS 5.3).