PT-2026-31087 · Amon2 · Amon2::Plugin::Web::Csrfdefender

Published

2026-04-08

Updated

2026-04-13

CVE-2026-5082

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions Amon2::Plugin::Web::CSRFDefender versions 7.00 through 7.03

Description Amon2::Plugin::Web::CSRFDefender versions 7.00 through 7.03 for Perl generate an insecure session ID. The generate session id function attempts to read from /dev/urandom, but falls back to a SHA-1 hash seeded with the built-in rand() function, the PID, and the high-resolution epoch time if /dev/urandom is unavailable. The PID is from a small set of numbers, and the epoch time may be guessed. The built-in rand() function is unsuitable for cryptographic usage.

Recommendations Update to a version prior to 7.00.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-340CWE-338

Related Identifiers

CVE-2026-5082

Affected Products

Amon2::Plugin::Web::Csrfdefender

PT-2026-31087 · Amon2 · Amon2::Plugin::Web::Csrfdefender

CVE-2026-5082

Weakness Enumeration

Related Identifiers

Affected Products

References · 7