CVE-2026-5087

Source
https://cve.org/CVERecord?id=CVE-2026-5087
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5087.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-5087
Published
2026-03-31T16:03:08.278Z
Modified
2026-07-08T06:59:42.304056463Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely
Details

PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely.

PAGI::Middleware::Session::Store::Cookie attempts to read bytes from the /dev/urandom device directly. If that fails (for example, on systems without the device, such as Windows), then it will emit a warning that recommends the user install Crypt::URandom, and then return a string of random bytes generated by the built-in rand function, which is unsuitable for cryptographic applications.

This modules does not use the Crypt::URandom module, and installing it will not fix the problem.

The random bytes are used for generating an initialisation vector (IV) to encrypt the cookie.

A predictable IV may make it easier for malicious users to decrypt and tamper with the session data that is stored in the cookie.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/5xxx/CVE-2026-5087.json",
    "cna_assigner": "CPANSec",
    "cwe_ids": [
        "CWE-1204",
        "CWE-338"
    ]
}
References

Affected packages

Git / github.com/jjn1056/pagi-middleware-session-store-cookie

Affected ranges

Type
GIT
Repo
https://github.com/jjn1056/pagi-middleware-session-store-cookie
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.001003"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v0.*
v0.001001
v0.001002
v0.001003

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5087.json"