CVE Catalog

CVE-2026-9692

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

19th percentile — higher than 19% of all known CVEs

Summary

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator uses low-entropy sources, making them predictable.

Risk Assessment

Organizations may be vulnerable to attacks where attackers can predict session ids, potentially leading to session hijacking.

Recommendation

It is recommended to upgrade to a newer version of Mojolicious::Sessions::Storable that improves the session id generation method to enhance security.

Original NVD description (English source)

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS