CVE-2026-3255

Name of the Vulnerable Software and Affected Versions HTTP::Session2 versions prior to 1.12

Description The software may generate weak session IDs using the rand() function. The session ID generator returns a SHA-1 hash seeded with the rand() function, epoch time, and the process ID (PID). The rand() function is not suitable for cryptographic purposes. If the /dev/urandom device is unavailable, the software reverts to this insecure method.

Recommendations Update to version 1.12 or later.