Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids.
HTTP::Session defaults to using HTTP::Session::ID::SHA1 to generate session ids using a SHA-1 hash seeded with the built-in rand function, the high resolution epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
The distribution includes HTTP::session::ID::MD5 which contains a similar flaw, but uses the MD5 hash instead.
AnalysisAI
HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids.
Technical ContextAI
This vulnerability is classified as Generation of Predictable Numbers or Identifiers (CWE-340).
RemediationAI
Monitor vendor advisories for patches. Apply mitigations such as network segmentation, access restrictions, and monitoring.
An issue was discovered in the http crate before 0.1.20 for Rust. Rated high severity (CVSS 7.5), this vulnerability is
An issue was discovered in the http package through 0.12.2 for Dart. Rated medium severity (CVSS 6.1), this vulnerabilit
Credential leakage in the Perl HTTP::Tiny client (all versions before 0.095) lets an attacker who controls a redirect de
HTTP::Tiny versions before 0.093 for Perl fail to validate carriage return and line feed (CRLF) characters in HTTP reque
HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code i
react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Rated medium severity (CVSS
ReactPHP HTTP is a streaming HTTP client and server implementation for ReactPHP. Rated medium severity (CVSS 5.3), this
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16939
GHSA-mx9c-4xjq-mhj6