CVE & CISA-KEV Catalog

CVE-2026-56016

MEDIUM
5.9
CVSS v3
NVD

Description

CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.

How to fix

No published remediation has been found for this vulnerability's affected products yet.

Mitigation guidance may be in the linked vendor advisories in the References section below.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredNone
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityNone
AvailabilityNone

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploit Intelligence

EPSS data unavailable for this CVE.

References

Other references2
Embed a live status badge for CVE-2026-56016
CVE-2026-56016 severity badge

Markdown

[![CVE-2026-56016](https://tridentstack.com/cve/badge/CVE-2026-56016.svg)](https://tridentstack.com/cve/CVE-2026-56016)

HTML

<a href="https://tridentstack.com/cve/CVE-2026-56016"><img src="https://tridentstack.com/cve/badge/CVE-2026-56016.svg" alt="CVE-2026-56016"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-07-01.