CVE-2026-13082
Deferred Deferred - Pending Action

Predictable Randomness in GD::SecurityImage

Vulnerability report for CVE-2026-13082, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: CPANSec

Description

GD::SecurityImage versions through 1.75 for Perl use rand to generate secrets. The random method creates the challenge text used for the CAPTCHA by sampling characters from an array using Perl's built-in rand function, and generates a (by default) six-character string. The built-in rand function is unsuitable for security applications because it is predictable and reversible.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-804 The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects GD::SecurityImage versions up to 1.75 for Perl. The module uses Perl's built-in rand function to generate CAPTCHA challenge text by creating a six-character string from random characters. The rand function is insecure because it produces predictable and reversible outputs, making the CAPTCHA easily bypassable.

Detection Guidance

To detect this vulnerability, check if GD::SecurityImage versions through 1.75 are installed on your system. Use commands like 'cpan -D GD::SecurityImage' or 'perl -MGD::SecurityImage -e "print $GD::SecurityImage::VERSION"' to verify the version. If the version is 1.75 or lower, the system is vulnerable.

Impact Analysis

If you use GD::SecurityImage for CAPTCHA generation, attackers could predict or reverse-engineer the challenge text, bypassing CAPTCHA protections. This could allow automated spam, brute-force attacks, or unauthorized form submissions on systems relying on this module for security.

Compliance Impact

This vulnerability does not directly affect compliance with GDPR or HIPAA as it involves a weak random number generator in a CAPTCHA implementation rather than data handling or security controls.

Mitigation Strategies

Update GD::SecurityImage to a patched version that uses a secure random number generator. Apply the patch from Resource 2 or upgrade to a version that includes Crypt::URandom::MonkeyPatch. Alternatively, replace GD::SecurityImage with a more secure CAPTCHA solution.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13082. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart