Thread Index - Febuary 2026 - CPANSec CVE announcements

CVE-2025-40905: WWW::OAuth 1.000 and earlier for Perl uses insecure rand() function for cryptographic functions Timothy Legge (13 Feb 2026 00:00 UTC)
CVE-2026-2474: Crypt::URandom versions from 0.41 before 0.55 for Perl is vulnerable to a heap buffer overflow in the XS function crypt_urandom_getrandom() Stig Palmquist (16 Feb 2026 21:01 UTC)
CVE-2025-15578: Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely Timothy Legge (16 Feb 2026 21:20 UTC)
CVE-2026-2439: Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids Timothy Legge (16 Feb 2026 21:27 UTC)
CVE-2026-2588: Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems Timothy Legge (22 Feb 2026 23:37 UTC)
CVE-2024-58041: Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions Timothy Legge (23 Feb 2026 23:58 UTC)
CVE-2025-40932: Apache::SessionX versions through 2.01 for Perl create insecure session id Timothy Legge (27 Feb 2026 00:03 UTC)
CVE-2026-2597: Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes() Timothy Legge (27 Feb 2026 00:04 UTC)
CVE-2021-4456: Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact Timothy Legge (27 Feb 2026 00:19 UTC)
CVE-2026-3255: HTTP::Session2 versions before 1.12 for Perl may generate weak session ids using the rand() function Robert Rothenberg (27 Feb 2026 20:24 UTC)
CVE-2018-25160: HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend Robert Rothenberg (27 Feb 2026 20:25 UTC)