{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-5082","assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","state":"PUBLISHED","assignerShortName":"CPANSec","dateReserved":"2026-03-28T19:12:35.387Z","datePublished":"2026-04-08T05:48:43.633Z","dateUpdated":"2026-04-08T16:09:26.357Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://cpan.org/modules","defaultStatus":"unaffected","packageName":"Amon2-Plugin-Web-CSRFDefender","product":"Amon2::Plugin::Web::CSRFDefender","programFiles":["lib/Amon2/Plugin/Web/CSRFDefender/Random.pm"],"programRoutines":[{"name":"Amon2::Plugin::Web::CSRFDefender::Random::generate_session_id"}],"repo":"https://github.com/tokuhirom/Amon2-Plugin-Web-CSRFDefender","vendor":"TOKUHIROM","versions":[{"lessThanOrEqual":"7.03","status":"affected","version":"7.00","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id.\n\nThe generate_session_id function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time.  The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nAmon2::Plugin::Web::CSRFDefender versions before 7.00 were part of Amon2, which was vulnerable to insecure session ids due to CVE-2025-15604.\n\nNote that the author has deprecated this module."}],"impacts":[{"capecId":"CAPEC-62","descriptions":[{"lang":"en","value":"CAPEC-62 Cross Site Request Forgery"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-340","description":"CWE-340 Generation of Predictable Numbers or Identifiers","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-338","description":"CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec","dateUpdated":"2026-04-08T05:48:43.633Z"},"references":[{"url":"https://metacpan.org/release/TOKUHIROM/Amon2-Plugin-Web-CSRFDefender-7.03/source/lib/Amon2/Plugin/Web/CSRFDefender/Random.pm"},{"tags":["release-notes"],"url":"https://metacpan.org/release/TOKUHIROM/Amon2-Plugin-Web-CSRFDefender-7.04/changes"},{"tags":["related","vendor-advisory"],"url":"https://www.cve.org/CVERecord?id=CVE-2025-15604"}],"solutions":[{"lang":"en","value":"Upgrade to Amon2::Plugin::Web::CSRFDefender version 7.04 or later."}],"source":{"discovery":"UNKNOWN"},"title":"Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id","x_generator":{"engine":"cpansec-cna-tool 0.1"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.3,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"LOW","privilegesRequired":"NONE","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-04-08T16:09:08.752556Z","id":"CVE-2026-5082","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-08T16:09:26.357Z"}}]}}