CVE-2026-13082
Deferred
Deferred - Pending Action
Predictable Randomness in GD::SecurityImage
Vulnerability report for CVE-2026-13082, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-17
Last updated on: 2026-07-17
Assigner: CPANSec
Description
Description
GD::SecurityImage versions through 1.75 for Perl use rand to generate secrets.
The random method creates the challenge text used for the CAPTCHA by sampling characters from an array using Perl's built-in rand function, and generates a (by default) six-character string.
The built-in rand function is unsuitable for security applications because it is predictable and reversible.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-804 | The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor. |
| CWE-338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |