CVE-2026-5083

5.3 MEDIUM

Published: April 08, 2026 Modified: April 08, 2026

Description

Ado::Sessions versions through 0.935 for Perl generates insecure session ids. The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Note that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://backpan.perl.org/authors/id/B/BE/BEROV/Ado-0.935.tar.gz

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

https://github.com/kberov/Ado/issues/112

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

https://security.metacpan.org/docs/guides/random-data-for-security.html

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

http://www.openwall.com/lists/oss-security/2026/04/08/7

Source: af854a3a-2127-422b-91ae-364da2661108

4 reference(s) from NVD

Quick Stats

CVSS v3 Score

5.3 / 10.0

EPSS (Exploit Probability)

0.0%

12th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-338 CWE-340

Related CVEs

CVE-2026-40688 7.2

CVE-2026-39399 9.6

CVE-2026-39387 7.2

CVE-2026-35589 8.0

CVE-2026-35034 6.5