CVE-2025-40926 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 5, 2026
Plack::Middleware::Session::Simple - Authentication Bypass
Overview
Plack::Middleware::Session::Simple <= 0.04 for Perl contains a broken authentication caused by insecure session ID generation using predictable seeds, letting attackers guess session IDs and gain unauthorized access, exploit requires no special privileges.
Severity & Score
Impact
Attackers can predict session IDs to hijack sessions and gain unauthorized access to user accounts or systems.
Mitigation
Update to the latest version with secure session ID generation.
References
- https://github.com/kazeburo/Plack-Middleware-Session-Simple/pull/4
- https://metacpan.org/release/KAZEBURO/Plack-Middleware-Session-Simple-0.04/source/lib/Plack/Middleware/Session/Simple.pm#L43
- https://security.metacpan.org/docs/guides/random-data-for-security.html
- https://www.cve.org/CVERecord?id=CVE-2025-40923
- https://github.com/kazeburo/Plack-Middleware-Session-Simple/commit/760bb358b8f53e52cf415888a4ac858fd99bb24e.patch
Social Media Activity(1 post)
š“ CVE-2025-40926 - Critical (9.8) Plack::Middleware::Session::Simple versions through 0.04 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from ... š https://www.thehackerwire.com/vulnerability/CVE-2025-40926/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2025-40926
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_authentication
- Status
- unconfirmed
- EPSS
- 4.6%
- Social Posts
- 1
CWE
- CWE-338
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H