{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5083", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-03-28T19:14:30.969Z", "datePublished": "2026-04-08T05:53:16.963Z", "dateUpdated": "2026-04-08T17:24:13.917Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Ado", "product": "Ado::Sessions", "programFiles": ["lib/Ado/Session.pm"], "programRoutines": [{"name": "Ado::Sessions::generate_id"}], "repo": "https://github.com/kberov/Ado", "vendor": "BEROV", "versions": [{"lessThanOrEqual": "0.935", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Ado::Sessions versions through 0.935 for Perl generates insecure session ids.\n\nThe session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredicable session ids could allow an attacker to gain access to systems.\n\nNote that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-340", "description": "CWE-340 Generation of Predictable Numbers or Identifiers", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-04-08T05:53:16.963Z"}, "references": [{"tags": ["issue-tracking"], "url": "https://github.com/kberov/Ado/issues/112"}, {"url": "https://backpan.perl.org/authors/id/B/BE/BEROV/Ado-0.935.tar.gz"}, {"tags": ["technical-description"], "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2017-09-02T00:00:00.000Z", "value": "Last version of Ado was released on CPAN."}, {"lang": "en", "time": "2018-09-24T00:00:00.000Z", "value": "Announcement that Ado will not be updated anymore."}], "title": "Ado::Sessions versions through 0.935 for Perl generates insecure session ids", "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T16:08:27.234472Z", "id": "CVE-2026-5083", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:08:29.799Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/08/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-08T17:24:13.917Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5083", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T16:08:27.234472Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:08:22.603Z"}}], "cna": {"title": "Ado::Sessions versions through 0.935 for Perl generates insecure session ids", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "affected": [{"repo": "https://github.com/kberov/Ado", "vendor": "BEROV", "product": "Ado::Sessions", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "0.935"}], "packageName": "Ado", "programFiles": ["lib/Ado/Session.pm"], "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "programRoutines": [{"name": "Ado::Sessions::generate_id"}]}], "timeline": [{"lang": "en", "time": "2017-09-02T00:00:00.000Z", "value": "Last version of Ado was released on CPAN."}, {"lang": "en", "time": "2018-09-24T00:00:00.000Z", "value": "Announcement that Ado will not be updated anymore."}], "references": [{"url": "https://github.com/kberov/Ado/issues/112", "tags": ["issue-tracking"]}, {"url": "https://backpan.perl.org/authors/id/B/BE/BEROV/Ado-0.935.tar.gz"}, {"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html", "tags": ["technical-description"]}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}, "descriptions": [{"lang": "en", "value": "Ado::Sessions versions through 0.935 for Perl generates insecure session ids.\n\nThe session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredicable session ids could allow an attacker to gain access to systems.\n\nNote that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-340", "description": "CWE-340 Generation of Predictable Numbers or Identifiers"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-04-08T05:53:16.963Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5083", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:08:29.799Z", "dateReserved": "2026-03-28T19:14:30.969Z", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "datePublished": "2026-04-08T05:53:16.963Z", "assignerShortName": "CPANSec"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Ado::Sessions versions through 0.935 for Perl generates insecure session ids.\n\nThe session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredicable session ids could allow an attacker to gain access to systems.\n\nNote that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN."}], "id": "CVE-2026-5083", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T06:16:29.163", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://backpan.perl.org/authors/id/B/BE/BEROV/Ado-0.935.tar.gz"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://github.com/kberov/Ado/issues/112"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/08/7"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}, {"lang": "en", "value": "CWE-340"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.935]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Ado::Sessions", "source": "cna", "vendor": "BEROV"}, "product": "ado::sessions", "vendor": "berov"}], "analysis": {"en": {"generated_at": "2026-04-08T18:20:57.691921+00:00", "value": {"mitigation_remediation": ["Replace Ado::Sessions with a maintained session management library that generates cryptographically secure identifiers.", "If replacement is not immediately possible, override the ID generation to use a secure random source such as Crypt::Secure::random_bytes instead of Perl's rand().", "Ensure the application does not expose the epoch time or other predictable data (e.g., HTTP Date headers) that could aid an attacker in guessing session identifiers."], "summary": {"action": "Replace Dependency", "impact": "Predictable Session IDs"}, "threat_synthesis": {"affected_systems": "Systems that use BEROV's Ado::Sessions module in any Perl application are affected, specifically any installation of versions 0.935 or earlier. The module is no longer maintained and has been removed from the CPAN index, but remains available on BackPAN. Any Perl project that includes or requires the Ado::Sessions library inherits the predictable session ID weakness.", "description_and_impact": "Ado::Sessions versions through 0.935 for Perl produce session identifiers by hashing the output of Perl's built\u2011in rand() function together with the current epoch time and the process ID. Because rand() is not cryptographically secure, the PID comes from a limited set of numbers, and the epoch time can sometimes be inferred from the HTTP Date header, the resulting session IDs are low\u2011entropy and predictable.\n\nThis weakness can allow an attacker to guess or brute\u2011force a valid session identifier, leading to unauthorized access to the application. The flaw is a classic instance of insufficient entropy in cryptographic material (CWE\u2011338) and predictable random number generation (CWE\u2011340).", "risk_and_exploitability": "The CVSS base score for this issue is 5.3, indicating moderate severity. The EPSS score is less than 1\u202f%, suggesting a low probability of exploitation in the short term. The vulnerability is not listed in CISA's KEV catalog. The likely attack vector is an attacker attempting to guess or brute\u2011force session identifiers, potentially aided by exposure of the epoch time through HTTP headers or log data. Exploitation would require access to the affected application's session store or a server that shares the same process ID space."}}}}, "created": "2026-04-08T19:31:16.417822+00:00", "updated": "2026-04-08T19:43:50.872243+00:00", "vendors": ["berov", "berov$PRODUCT$ado::sessions"]}