CVE-2026-5080

Name of the Vulnerable Software and Affected Versions Dancer::Session::Abstract versions prior to 1.3523

Description Session IDs are generated insecurely by summing the character codepoints of the absolute pathname with the process ID, the epoch time, and a value from the built-in rand() function (returning a number between 0 and 999 billion), then concatenating the result three times. The absolute pathname may be guessed or known, the epoch time can be predicted or leaked via HTTP headers, and process IDs often come from a small, sequential set. Additionally, the rand() function is seeded with 32 bits, making it unsuitable for security purposes. This predictability allows an attacker to potentially gain unauthorized system access.

Recommendations Update to a version later than 1.3522.