Insecure Session ID Generation in Dancer Framework by Dancer
CVE-2026-5080

Currently unrated

Key Information:

Vendor: Bigpresh
Status: Dancer::session::abstract
Vendor: CVE Published:; 30 April 2026

What is CVE-2026-5080?

The Dancer::Session::Abstract framework versions up to 1.3522 improperly generate session IDs, leading to potential security risks. The generation process includes predictable components, such as the absolute pathname, process ID, and the time of the operation, all of which may be guessed by an attacker. The process ID is limited to a small range and may be sequential, while the random number generated via the built-in rand() function is not secure for cryptographic purposes. This vulnerability can allow malicious actors to predict or intercept session IDs, thereby compromising user sessions and gaining unauthorized access to sensitive information.

Affected Version(s)

Dancer::Session::Abstract 0 <= 1.3522

References

https://security.metacpan.org/patches/D/Dancer/1.3522/CVE...

patch

https://metacpan.org/release/BIGPRESH/Dancer-1.3522/sourc...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Mar 28, 2026

CVE-2026-5080 Data

JSON

Bigpresh

What is CVE-2026-5080?

Affected Version(s)

References

Timeline