cvedb.io
CVE-2026-3255
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2026-02-27T20:21:41.180 · Last modified 2026-06-17T10:43:17.030

Summary

HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function. The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage. HTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above.

Affected products

tokuhirom — http\

Does this affect you?

Add your gear to cvedb and we'll alert you only when tokuhirom ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.