CVE-2026-5082 | TOKUHIROM Amon2::Plugin::Web::CSRFDefender up to 7.03 on Perl /dev/urandom rand generation of predictable numbers or identifiers

VDB-356020 · CVE-2026-5082 · GCVE-0-2026-5082 TOKUHIROM AMON2::PLUGIN::WEB::CSRFDEFENDER UP TO 7.03 ON PERL /DEV/URANDOM RAND GENERATION OF PREDICTABLE NUMBERS OR IDENTIFIERS HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 3.6 $0-$5k 0.35+ Summaryinfo A vulnerability classified as problematic was found in TOKUHIROM Amon2::Plugin::Web::CSRFDefender up to 7.03 on Perl. Impacted is the function rand of the file /dev/urandom. Executing a manipulation can lead to generation of predictable numbers or identifiers. This vulnerability is registered as CVE-2026-5082. It is possible to launch the attack remotely. No exploit is available. Upgrading the affected component is advised. Detailsinfo A vulnerability was found in TOKUHIROM Amon2::Plugin::Web::CSRFDefender up to 7.03 on Perl. It has been declared as problematic. This vulnerability affects the function rand of the file /dev/urandom. The manipulation with an unknown input leads to a generation of predictable numbers or identifiers vulnerability. The CWE definition for the vulnerability is CWE-340. The product uses a scheme that generates numbers or identifiers that are more predictable than required. As an impact it is known to affect confidentiality. CVE summarizes: Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id. The generate_session_id function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Amon2::Plugin::Web::CSRFDefender versions before 7.00 were part of Amon2, which was vulnerable to insecure session ids due to CVE-2025-15604. Note that the author has deprecated this module. The advisory is shared for download at metacpan.org. This vulnerability was named CVE-2026-5082 since 03/28/2026. The exploitation appears to be difficult. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1600.001. Upgrading eliminates this vulnerability. Productinfo Vendor TOKUHIROM Name Amon2::Plugin::Web::CSRFDefender Version 7.03 CPE 2.3info 🔒 CPE 2.2info 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 3.7 VulDB Meta Temp Score: 3.6 VulDB Base Score: 3.7 VulDB Temp Score: 3.6 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Generation of predictable numbers or identifiers CWE: CWE-340 / CWE-331 / CWE-330 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Timelineinfo 03/28/2026 CVE reserved 04/08/2026 +10 days Advisory disclosed 04/08/2026 +0 days VulDB entry created 04/08/2026 +0 days VulDB entry last update Sourcesinfo Advisory: metacpan.org Status: Confirmed CVE: CVE-2026-5082 (🔒) GCVE (CVE): GCVE-0-2026-5082 GCVE (VulDB): GCVE-100-356020 Entryinfo Created: 04/08/2026 08:56 Changes: 04/08/2026 08:56 (55) Complete: 🔍 Cache ID: 99:BA1:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸