CWE-338

Medium likelihood

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Parent: CWE-330 - Use of Insufficiently Random Values

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

171 vulnerabilities with CWE-338

CVE-2026-5080

Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely

CVE-2026-40514 MEDIUM

SmarterTools SmarterMail < Build 9610 Cryptographic Weakness via Weak RNG

CVSS 5.9

CVE-2026-41564 HIGH

CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking

CVSS 7.5

CVE-2026-5088 HIGH

Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts

CVSS 7.5

CVE-2026-5085 CRITICAL

Solstice::Session versions through 1440 for Perl generates session ids insecurely

CVSS 9.1

CVE-2026-5083 MEDIUM

Ado::Sessions versions through 0.935 for Perl generates insecure session ids

CVSS 5.3

CVE-2026-5082 MEDIUM

Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id

CVSS 5.3

CVE-2026-25726 HIGH

Cloudreve is vulnerable to Account Takeover via Weak Cryptographic Token Generation (Insecure PRNG Seeding)

CVSS 8.1

CVE-2026-34871 MEDIUM

Mbed TLS <3.6.6/4.x<4.1.0 - Predictable PRNG

CVSS 6.7

CVE-2026-5087 HIGH

PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely

CVSS 7.5

CVE-2026-3256 CRITICAL

HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids

CVSS 9.8

CVE-2026-3255 MEDIUM

HTTP::Session2 <1.12 - Weak Session ID

CVSS 6.5

CVE-2026-2439 CRITICAL

Concierge::Sessions 0.8.1-0.8.5 - Auth Bypass

CVSS 9.8

CVE-2025-15618 CRITICAL

Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key

CVSS 9.1

CVE-2025-15604 CRITICAL

Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions

CVSS 9.8

CVE-2025-40931 CRITICAL

Apache::Session::Generate::MD5 <=1.94 - Info Disclosure

CVSS 9.1

CVE-2025-40926 CRITICAL

Plack::Middleware::Session::Simple <=0.04 - Auth Bypass

CVSS 9.8

CVE-2025-40932 HIGH

Apache::SessionX <=2.01 - Insecure Session ID

CVSS 8.2

CVE-2025-15578 CRITICAL

Maypole 2.10-2.13 - Auth Bypass

CVSS 9.8

CVE-2025-40905 HIGH

WWW::OAuth <1.000 - Info Disclosure

CVSS 7.3

CVE-2025-66630 CRITICAL

Fiber <2.52.11 - Info Disclosure

CVSS 9.4

CVE-2025-69217 HIGH

coturn <4.7.0-r4 - Info Disclosure

CVSS 7.7

CVE-2025-68932 CRITICAL

FreshRSS <1.28.0 - Info Disclosure

CVSS 9.8

CVE-2025-26379 HIGH

PowerG <unknown - Info Disclosure

CVE-2025-67504 CRITICAL

Wbce Cms < 1.6.5 - Privilege Escalation

CVSS 9.1

Details

Vulnerabilities 171

Exploit Likelihood Medium

Links