MEDIUM
GUIMARD
CVE published 2026-05-15
CVE-2026-8503
Apache::Session::Generate::SHA256 versions before 1.3.19 generate session identifiers using predictable, low-entropy sources—specifically a SHA-256 hash of Perl's built-in rand() function, epoch time, and process ID, hashed again. This weakness allows attackers to predict session IDs and potentially hijack sessions. The vulnerability was published on 2026-05-15 and last modified on 2026-05-18. Version 1.3 [truncated]