CVE-2026-8503

Published: Mag 15, 2026 Last Modified: Mag 18, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,5
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: low
Integrity: low
Availability: none

Description

AI Translation Available

Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids.

Apache::Session::Generate::SHA256 generated session ids insecurely. The default session id generator returns a SHA-256 hash of the built-in rand() function, the epoch time, and the PID, that is hashed again. These are predictable, low-entropy sources. Predicable session ids could allow an attacker to gain access to systems.

Note that version 1.3.19 has a fallback without warning to use insecure session generation method if the call to Crypt::URandom::urandom fails. However, this is unlikely as Crypt::URandom is a hardcoded requirement of the module.

This issue is similar to CVE-2025-40931 for Apache::Session::Generate::MD5.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0003
Percentile
0,1th
Updated

EPSS Score Trend (Last 6 Days)

338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: Medium
View CWE Details
340

Generation of Predictable Numbers or Identifiers

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Other
Potential Impacts:
Varies By Context
Applicable Platforms
All platforms may be affected
View CWE Details
Application

Apache\ by Guimard

Product Information
Vendor Guimard
Product Apache\
Version \
Version Range Affected
To 1.3.19 (exclusive)
cpe:2.3:a:guimard:apache\:\:session\:\:generate\:\:sha256:*:*:*:*:*:perl:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/LemonLDAPNG/Apache-Session-Browseable/co…
https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/cc915cbbd266776…
https://metacpan.org/release/GUIMARD/Apache-Session-Browsea…
https://metacpan.org/release/GUIMARD/Apache-Session-Browseable-1.3.19/changes
https://metacpan.org/release/GUIMARD/Apache-Session-Browsea…
https://metacpan.org/release/GUIMARD/Apache-Session-Browseable-1.3.19/diff/GUIM…
https://www.cve.org/CVERecord?id=CVE-2025-40931
https://www.cve.org/CVERecord?id=CVE-2025-40931
https://www.cve.org/CVERecord?id=CVE-2025-40932
https://www.cve.org/CVERecord?id=CVE-2025-40932