Mojolicious Plugin Session Store Vulnerability in Perl Application
CVE-2026-9692

5.3MEDIUM

Key Information:

Vendor

Hayajo

Status
Mojolicious::sessions::storable
Vendor
CVE Published:
18 June 2026

What is CVE-2026-9692?

The Mojolicious::Sessions::Storable component in version 0.05 generates session IDs using predictable methods, including a SHA-1 hash that combines low-entropy inputs such as the built-in rand function, epoch time, heap address, and process ID. This results in session identifiers that are susceptible to being guessed, compromising the security of user sessions in Perl applications. It is crucial for developers to update to patched versions and ensure secure session ID generation practices are followed to safeguard against unauthorized access.

Affected Version(s)

Mojolicious::Sessions::Storable 0 <= 0.05

References

https://security.metacpan.org/patches/M/Mojolicious-Plugi...
patch
https://metacpan.org/release/HAYAJO/Mojolicious-Plugin-Se...
https://www.cve.org/CVERecord?id=CVE-2025-40923
vendor-advisoryrelatedvdb-entry

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.