CWE-338

Medium likelihood

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Parent: CWE-330 - Use of Insufficiently Random Values

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

184 vulnerabilities with CWE-338

CVE-2026-2439 CRITICAL

Concierge::Sessions 0.8.1-0.8.5 - Auth Bypass

CVSS 9.8

CVE-2025-15618 CRITICAL

Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key

CVSS 9.1

CVE-2025-15604 CRITICAL

Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions

CVSS 9.8

CVE-2025-40931 CRITICAL

Apache::Session::Generate::MD5 <=1.94 - Info Disclosure

CVSS 9.1

CVE-2025-40926 CRITICAL

Plack::Middleware::Session::Simple <=0.04 - Auth Bypass

CVSS 9.8

CVE-2025-40932 HIGH

Apache::SessionX <=2.01 - Insecure Session ID

CVSS 8.2

CVE-2025-15578 CRITICAL

Maypole 2.10-2.13 - Use of Cryptographically Weak PRNG for Session ID Generation

CVSS 9.8

CVE-2025-40905 HIGH

WWW::OAuth <1.000 - Info Disclosure

CVSS 7.3

CVE-2025-66630 CRITICAL

Fiber < 2.52.11 - Use of Cryptographically Weak Pseudo-Random Number Generator

CVSS 9.4

CVE-2025-69217 HIGH

coturn 4.6.2r5-4.7.0-r4 - Predictable Nonce and Port Randomization via Weak PRNG

CVSS 7.7

CVE-2025-68932 CRITICAL

FreshRSS < 1.28.0 - Account Takeover via Weak PRNG Session Tokens

CVSS 9.8

CVE-2025-26379 HIGH

Johnson Controls IQ Panels 2/2+/IQHub/IQPanel 4 PowerG Weak PRNG in Packet Encryption

CVE-2025-67504 CRITICAL

WBCE CMS < 1.6.5 - Weak Password Generation via Insecure rand() Usage

CVSS 9.1

CVE-2025-66565 CRITICAL

Fiber Utils <2.0.0-rc.3 - Info Disclosure

CVSS 9.8

CVE-2025-59390 CRITICAL

Apache Druid <= 34.0.0 - Weak Cookie Signature Secret via ThreadLocalRandom

CVSS 9.8

CVE-2025-41731 HIGH

Jumo variTRON300/500 - Weak Password Generation in Debug Interface

CVSS 7.4

CVE-2025-40925 CRITICAL

Starch < 0.14 - Predictable Session ID Generation via Weak PRNG

CVSS 9.1

CVE-2025-40933 HIGH

Apache::AuthAny::Cookie v0.201 - Info Disclosure

CVSS 7.5

CVE-2025-40920 HIGH

Catalyst::Authentication::Credential::HTTP <1.018 - Info Disclosure

CVSS 8.6

CVE-2025-54883 CRITICAL

Vision UI <=1.4.0 - Cryptographic Weakness

CVE-2025-7394 CRITICAL

wolfssl 3.15.0-5.8.0 - Use of Cryptographically Weak Pseudo-Random Number Generator via RAND_bytes() After fork()

CVSS 9.8

CVE-2025-40924 MEDIUM

Catalyst::Plugin::Session <0.44 - Info Disclosure

CVSS 6.5

CVE-2025-40919 MEDIUM

Authen::DigestMD5 <0.03 - Info Disclosure

CVSS 6.5

CVE-2025-40918 MEDIUM

Authen::SASL::Perl::DIGEST_MD5 <2.1800 - Info Disclosure

CVSS 6.5

CVE-2025-40923 HIGH

Plack-Middleware-Session <0.35 - Info Disclosure

CVSS 7.3

Details

Vulnerabilities 184

Exploit Likelihood Medium

Links