Thread Index - Febuary 2026 - CPANSec CVE announcements

CVE-2025-40905: WWW::OAuth 1.000 and earlier for Perl uses insecure rand() function for cryptographic functions Timothy Legge (13 Feb 2026 00:00 UTC)
CVE-2026-2474: Crypt::URandom versions from 0.41 before 0.55 for Perl is vulnerable to a heap buffer overflow in the XS function crypt_urandom_getrandom() Stig Palmquist (16 Feb 2026 21:01 UTC)
CVE-2025-15578: Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely Timothy Legge (16 Feb 2026 21:20 UTC)
CVE-2026-2439: Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids Timothy Legge (16 Feb 2026 21:27 UTC)
CVE-2026-2588: Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems Timothy Legge (22 Feb 2026 23:37 UTC)