CVE-2025-15578
Received
Received - Intake
Insecure Session ID Generation in Maypole Perl
Vulnerability report for CVE-2025-15578, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-02-16
Last updated on: 2026-03-10
Assigner: CPANSec
Description
Description
Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time (which is available from HTTP response headers), a call to the built-in rand() function, and the PID.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| teejay | maypole | From 2.10 (inc) to 2.13 (inc) |
| teejay | maypole | 2.111 |
| teejay | maypole | 2.121 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |