CVE-2026-5085

Name of the Vulnerable Software and Affected Versions Solstice::Session versions prior to 1441

Description Session IDs are generated insecurely. The generateSessionID() method, also used by the generateID() method in Solstice::Subsession, produces an MD5 digest seeded by the epoch time, a random hash reference, the built-in rand() function, and the process ID. Because the epoch time can be guessed, stringified hash references contain predictable content, the rand() function is seeded by only 16-bits, and process IDs are drawn from a small set of numbers, the resulting session IDs are predictable. This could allow an attacker to gain unauthorized access to systems.

Recommendations Update to a version later than 1440.