Search Results (207 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2008-0166 3 Canonical, Debian, Openssl 3 Ubuntu Linux, Debian Linux, Openssl 2026-04-23 7.5 High
OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
CVE-2025-40926 1 Kazeburo 2 Plack::middleware::session::simple, Plack\ 2026-04-22 9.8 Critical
Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predictable session ids could allow an attacker to gain access to systems. Plack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923.
CVE-2025-40931 1 Chorny 2 Apache::session::generate::md5, Apache\ 2026-04-21 9.1 Critical
Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Note that the libapache-session-perl package in some Debian-based Linux distributions may be patched to use Crypt::URandom.
CVE-2026-2439 1 Bva 2 Concierge::sessions, Concierge\ 2026-04-17 9.8 Critical
Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically, * There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason. * The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses. * UUIDs are identifiers whose mere possession grants access, as per RFC 9562. * The output of the built-in rand() function is predictable and unsuitable for security applications.
CVE-2026-3255 1 Tokuhirom 2 Http::session2, Http\ 2026-04-17 6.5 Medium
HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function. The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage. HTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above.
CVE-2025-3495 2026-04-15 9.8 Critical
Delta Electronics COMMGR v1 and v2 uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID and load and execute arbitrary code.
CVE-2023-31305 2026-04-15 1.9 Low
Generation of weak and predictable Initialization Vector (IV) in PMFW (Power Management Firmware) may allow an attacker with privileges to reuse IV values to reverse-engineer debug data, potentially resulting in information disclosure.
CVE-2023-50059 2026-04-15 5.3 Medium
An issue ingalxe.com Galxe platform 1.0 allows a remote attacker to obtain sensitive information via the Web3 authentication process of Galxe, the signed message lacks a nonce (random number)
CVE-2024-34538 1 Mateso 1 Passwordsafe 2026-04-15 7.5 High
Mateso PasswordSafe through 8.13.9.26689 has Weak Cryptography.
CVE-2024-56830 2026-04-15 5.4 Medium
The Net::EasyTCP package 0.15 through 0.26 for Perl uses Perl's builtin rand() if no strong randomization module is present.
CVE-2025-54883 1 Vision Ui Project 1 Vision Ui 2026-04-15 N/A
Vision UI is a collection of enterprise-grade, dependency-free modules for modern web projects. In versions 1.4.0 and below, the getSecureRandomInt function in security-kit versions prior to 3.5.0 (packaged in Vision-ui <= 1.4.0) contains a critical cryptographic weakness. Due to a silent 32-bit integer overflow in its internal masking logic, the function fails to produce a uniform distribution of random numbers when the requested range between min and max is larger than 2³². The root cause is the use of a 32-bit bitwise left-shift operation (<<) to generate a bitmask for the rejection sampling algorithm. This causes the mask to be incorrect for any range requiring 32 or more bits of entropy. This issue is fixed in version 1.5.0.
CVE-2025-40780 1 Isc 1 Bind 9 2026-04-15 8.6 High
In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.
CVE-2002-20002 2026-04-15 5.4 Medium
The Net::EasyTCP package before 0.15 for Perl always uses Perl's builtin rand(), which is not a strong random number generator, for cryptographic keys.
CVE-2018-25107 2026-04-15 7.5 High
The Crypt::Random::Source package before 0.13 for Perl has a fallback to the built-in rand() function, which is not a secure source of random bits.
CVE-2024-40762 1 Sonicwall 1 Sonicos 2026-04-15 9.8 Critical
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass.
CVE-2025-1860 2026-04-15 7.7 High
Data::Entropy for Perl 0.007 and earlier use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
CVE-2025-1805 2026-04-15 5.3 Medium
Crypt::Salt for Perl version 0.01 uses insecure rand() function when generating salts for cryptographic purposes.
CVE-2024-45751 2026-04-15 5.9 Medium
tgt (aka Linux target framework) before 1.0.93 attempts to achieve entropy by calling rand without srand. The PRNG seed is always 1, and thus the sequence of challenges is always identical.
CVE-2025-21617 2026-04-15 N/A
Guzzle OAuth Subscriber signs Guzzle requests using OAuth 1.0. Prior to 0.8.1, Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source. This can leave servers vulnerable to replay attacks when TLS is not used. This vulnerability is fixed in 0.8.1.
CVE-2025-22376 2026-04-15 5.3 Medium
In Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl, the default nonce is a 32-bit integer generated from the built-in rand() function, which is not cryptographically strong.