WebDyne::Session versions through 2.075 for Perl generates the session id insecurely

Description

WebDyne::Session versions through 2.075 for Perl generates the session id insecurely. The session handler generates the session id from an MD5 hash seeded with a call to the built-in rand() function. The rand function is passed a maximum value based on the process id, the epoch time and the reference address of the object, but this information will have no effect on the overall quality of the seed of the message digest. The rand function is seeded by 32-bits and is predictable. It is considered unsuitable for cryptographic purposes. Predictable session ids could allow an attacker to gain access to systems. Note that WebDyne::Session versions 1.042 and earlier appear to be in separate distributions from WebDyne.

Affected Products

Vendor	Product	Versions
webdyne	webdyne::session	0

References

Related News (2 articles)

Tier C

oss-security12h ago

CVE-2026-5084: WebDyne::Session versions through 2.075 for Perl generates the session id insecurely

→ No new info (linked only)

Tier C

VulDB19h ago

CVE-2026-5084 | ASPEER WebDyne::Session up to 2.075 on Perl rand generation of predictable numbers or identifiers

→ No new info (linked only)

CVSS 3.16.5 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-340, CWE-338

PublishedMay 11, 2026

Last enriched11h agov3

Trending Score61

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 11h ago

v3Tier C11h ago

Updated exploit availability to true and added CVSS estimate as 0.0.

cvssEstimateexploitAvailable

via oss-security

v2Tier C18h ago

Updated vendor to ASPEER, product to WebDyne::Session, severity to HIGH, and noted that the vulnerability is actively exploited.

descriptionseverityactivelyExploited

via VulDB

v118h ago

Initial creation