Monthly
CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.
Unauthorized device enrollment in the Setracker2 Android companion app (com.tgelec.setracker) versions 3.1.5 and prior lets remote attackers hijack other users' GPS smartwatches by guessing their registration ID. The registration ID is predictably derived from the device IMEI, and the enrollment workflow performs no secondary authentication before binding a watch to an account, so an attacker who learns or calculates the ID can take over the target's tracker. No public exploit has been identified at time of analysis, and the issue carries a CVSS 4.0 base score of 8.3 with high confidentiality impact, reflecting exposure of a child's or wearer's location data.
Account takeover in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus is possible because SSO session-authentication tickets are generated with insufficient randomness and can be predicted by an unauthenticated remote attacker. Successful prediction lets the attacker impersonate arbitrary users and gain full session-level confidentiality, integrity, and availability impact (CVSS 9.0). No public exploit identified at time of analysis, but the issue is acknowledged in the vendor advisory.
CSRF session hijacking in Mojolicious::Plugin::Web::Auth::OAuth2 through version 0.17 for Perl stems from a predictable default state parameter built from a SHA-1 hash of leaked epoch time and Perl's weak rand(). Remote attackers can guess or precompute valid state values to forge OAuth2 authorization responses and bind a victim's session to an attacker-controlled identity. No public exploit identified at time of analysis, EPSS is low (0.19%, 8th percentile), and a vendor patch is available.
Session ID generation in Mojolicious::Sessions::Storable through version 0.05 relies on predictable, low-entropy inputs - a SHA-1 hash seeded with Perl's built-in rand(), epoch time, a heap memory address, and the server PID - making session identifiers guessable by a network attacker. Successful exploitation enables session hijacking, allowing an attacker to impersonate authenticated users without possessing their credentials. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the flaw is structurally significant on low-traffic, single-worker deployments where PID and timing entropy are minimal.
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes.
Device identifier enumeration across Naxclow's IoT product line - including the Smart Doorbell X3, X Smart Home platform, V720, and IX Cam - allows unauthenticated remote attackers to build a complete inventory of active devices deployed in the field. The identifier scheme combines fixed manufacturing prefixes with sequential counters (CWE-340), and the platform compounds this by exposing an endpoint that reveals the current identifier high-water mark, effectively handing attackers a starting point for a full sweep. Reported by ICS-CERT under ICSA-26-162-02, this is a platform-wide architectural flaw; no public exploit or KEV listing is confirmed at time of analysis, but the low complexity and zero-authentication barrier make opportunistic enumeration trivially achievable.
Weak session ID generation in Apache::Session::Generate::SHA256 for Perl allows session prediction and hijacking. All versions before 1.3.19 derive session identifiers from low-entropy sources (time, PID, rand, stringified hash ref), enabling remote unauthenticated attackers to predict valid session IDs and gain unauthorized access. EPSS score is low (0.02%, 5th percentile) and no public exploit identified at time of analysis, but CVSS 6.5 with network vector (AV:N/AC:L/PR:N) indicates exploitability against internet-facing systems. Vendor-released patch 1.3.19 replaces predictable hash with Crypt::URandom cryptographically secure source. Similar scope to CVE-2025-40931 for MD5 variant.
WebDyne::Session versions through 2.075 for Perl generate cryptographically weak session identifiers using MD5 hashing seeded with Perl's predictable rand() function, allowing attackers to forge valid session IDs and gain unauthorized access to systems. The vulnerability affects all versions from 0 through 2.075 and stems from reliance on a 32-bit-seeded random number generator unsuitable for cryptographic purposes, making session hijacking feasible without authentication.
Predictable session ID generation in Apache::Session::Generate::ModUniqueId 1.54-1.94 allows remote unauthenticated attackers to forge session tokens and hijack user sessions. The vulnerability stems from using Apache mod_unique_id values as session identifiers-these values are deterministic and constructed from publicly observable or easily guessable components (server IP, process ID, timestamp, counter). With CVSS 9.1 and SSVC automation classification, this enables systematic session hijacking at scale despite no confirmed active exploitation.
CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.
Unauthorized device enrollment in the Setracker2 Android companion app (com.tgelec.setracker) versions 3.1.5 and prior lets remote attackers hijack other users' GPS smartwatches by guessing their registration ID. The registration ID is predictably derived from the device IMEI, and the enrollment workflow performs no secondary authentication before binding a watch to an account, so an attacker who learns or calculates the ID can take over the target's tracker. No public exploit has been identified at time of analysis, and the issue carries a CVSS 4.0 base score of 8.3 with high confidentiality impact, reflecting exposure of a child's or wearer's location data.
Account takeover in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus is possible because SSO session-authentication tickets are generated with insufficient randomness and can be predicted by an unauthenticated remote attacker. Successful prediction lets the attacker impersonate arbitrary users and gain full session-level confidentiality, integrity, and availability impact (CVSS 9.0). No public exploit identified at time of analysis, but the issue is acknowledged in the vendor advisory.
CSRF session hijacking in Mojolicious::Plugin::Web::Auth::OAuth2 through version 0.17 for Perl stems from a predictable default state parameter built from a SHA-1 hash of leaked epoch time and Perl's weak rand(). Remote attackers can guess or precompute valid state values to forge OAuth2 authorization responses and bind a victim's session to an attacker-controlled identity. No public exploit identified at time of analysis, EPSS is low (0.19%, 8th percentile), and a vendor patch is available.
Session ID generation in Mojolicious::Sessions::Storable through version 0.05 relies on predictable, low-entropy inputs - a SHA-1 hash seeded with Perl's built-in rand(), epoch time, a heap memory address, and the server PID - making session identifiers guessable by a network attacker. Successful exploitation enables session hijacking, allowing an attacker to impersonate authenticated users without possessing their credentials. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the flaw is structurally significant on low-traffic, single-worker deployments where PID and timing entropy are minimal.
Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes.
Device identifier enumeration across Naxclow's IoT product line - including the Smart Doorbell X3, X Smart Home platform, V720, and IX Cam - allows unauthenticated remote attackers to build a complete inventory of active devices deployed in the field. The identifier scheme combines fixed manufacturing prefixes with sequential counters (CWE-340), and the platform compounds this by exposing an endpoint that reveals the current identifier high-water mark, effectively handing attackers a starting point for a full sweep. Reported by ICS-CERT under ICSA-26-162-02, this is a platform-wide architectural flaw; no public exploit or KEV listing is confirmed at time of analysis, but the low complexity and zero-authentication barrier make opportunistic enumeration trivially achievable.
Weak session ID generation in Apache::Session::Generate::SHA256 for Perl allows session prediction and hijacking. All versions before 1.3.19 derive session identifiers from low-entropy sources (time, PID, rand, stringified hash ref), enabling remote unauthenticated attackers to predict valid session IDs and gain unauthorized access. EPSS score is low (0.02%, 5th percentile) and no public exploit identified at time of analysis, but CVSS 6.5 with network vector (AV:N/AC:L/PR:N) indicates exploitability against internet-facing systems. Vendor-released patch 1.3.19 replaces predictable hash with Crypt::URandom cryptographically secure source. Similar scope to CVE-2025-40931 for MD5 variant.
WebDyne::Session versions through 2.075 for Perl generate cryptographically weak session identifiers using MD5 hashing seeded with Perl's predictable rand() function, allowing attackers to forge valid session IDs and gain unauthorized access to systems. The vulnerability affects all versions from 0 through 2.075 and stems from reliance on a 32-bit-seeded random number generator unsuitable for cryptographic purposes, making session hijacking feasible without authentication.
Predictable session ID generation in Apache::Session::Generate::ModUniqueId 1.54-1.94 allows remote unauthenticated attackers to forge session tokens and hijack user sessions. The vulnerability stems from using Apache mod_unique_id values as session identifiers-these values are deterministic and constructed from publicly observable or easily guessable components (server IP, process ID, timestamp, counter). With CVSS 9.1 and SSVC automation classification, this enables systematic session hijacking at scale despite no confirmed active exploitation.