Unknown · Http::Session2 · CVE-2026-3255
**Name of the Vulnerable Software and Affected Versions**
HTTP::Session2 versions prior to 1.12
**Description**
The software may generate weak session IDs using the `rand()` function. The session ID generator returns a SHA-1 hash seeded with the `rand()` function, epoch time, and the process ID (`PID`). The `rand()` function is not suitable for cryptographic purposes. If the `/dev/urandom` device is unavailable, the software reverts to this insecure method.
**Recommendations**
Update to version 1.12 or later.