CVE-2026-5080

Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely.<br /> <br /> The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-billion, and concatenating that result three times.<br /> <br /> The path name might be known or guessed by an attacker, especially for applications known to be written using Dancer with standard installation locations.<br /> <br /> The epoch time can be guessed by an attacker, and may be leaked in the HTTP header.<br /> <br /> The process id comes from a small set of numbers, and workers may have sequential process ids.<br /> <br /> The built-in rand() function is seeded with 32-bits and is considered unsuitable for security applications.<br /> <br /> Predictable session ids could allow an attacker to gain access to systems.