CVE-2026-5088
Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
4th
Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply return 16 bytes generated with Perl's built-in rand function. The rand function is unsuitable for cryptographic use. These salts are used for password hashing.
| CWE | CWE-338 |
| Vendor | jdeguest |
| Product | apache::api::password |
| Published | Apr 15, 2026 |
| Last Updated | Apr 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for jdeguest apache::api::password
Be the first to know when new high vulnerabilities affecting jdeguest apache::api::password are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
JDEGUEST / Apache::API::Password
0 โค v0.5.2
References
metacpan.org: https://metacpan.org/release/JDEGUEST/Apache2-API-v0.5.3/changes metacpan.org: https://metacpan.org/release/JDEGUEST/Apache2-API-v0.5.2/view/lib/Apache2/API/Password.pod security.metacpan.org: https://security.metacpan.org/docs/guides/random-data-for-security.html metacpan.org: https://metacpan.org/pod/Crypt::URandom openwall.com: http://www.openwall.com/lists/oss-security/2026/04/15/4 openwall.com: http://www.openwall.com/lists/oss-security/2026/04/15/5