CVE-2025-15578

CRITICAL

Maypole 2.10-2.13 - Auth Bypass

Title source: llm

Description

Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time (which is available from HTTP response headers), a call to the built-in rand() function, and the PID.

References (1)

[Various Sources] https://metacpan.org/dist/Maypole/source/lib/Maypole/Session.pm#L43

Scores

CVSS v3 9.8

EPSS 0.0006

EPSS Percentile 18.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-338

Status published

Products (3)

teejay/maypole 2.111

teejay/maypole 2.121

teejay/maypole 2.10 - 2.13

Published Feb 16, 2026

Tracked Since Feb 18, 2026