CVE-2026-5088

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts.

The make salt and make salt bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply return 16 bytes generated with Perl's built-in rand function.

The rand function is unsuitable for cryptographic use.

These salts are used for password hashing.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-338

Related Identifiers

CVE-2026-5088

Affected Products

Apache::Api::Password

CVE-2026-5088

Weakness Enumeration

Related Identifiers

Affected Products

References · 4