CVE-2026-5083

MEDIUM 5.3

Ado::Sessions versions through 0.935 for Perl generates insecure session ids

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

Ado::Sessions versions through 0.935 for Perl generates insecure session ids. The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Note that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN.

CWE	CWE-340 CWE-338
Vendor	berov
Product	ado::sessions
Published	Apr 8, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for berov ado::sessions

Be the first to know when new medium vulnerabilities affecting berov ado::sessions are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

BEROV / Ado::Sessions

0 ≤ 0.935

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/kberov/Ado/issues/112 backpan.perl.org: https://backpan.perl.org/authors/id/B/BE/BEROV/Ado-0.935.tar.gz security.metacpan.org: https://security.metacpan.org/docs/guides/random-data-for-security.html openwall.com: http://www.openwall.com/lists/oss-security/2026/04/08/7