CVEs classified under CWE-331, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2020-36925 — CVSS 9.8 (critical): Arteco Web Client DVR/NVR contains a session hijacking vulnerability with insufficient session ID complexity that allows remote attackers…
CVE-2025-47781 — CVSS 9.8 (critical): Rallly is an open-source scheduling and collaboration tool. Versions up to and including 3.22.1 of the application features token based…
CVE-2024-47945 — CVSS 9.8 (critical): The devices are vulnerable to session hijacking due to insufficient entropy in its session ID generation algorithm. The session IDs are…
CVE-2024-25730 — CVSS 9.8 (critical): Hitron CODA-4582 and CODA-4589 devices have default PSKs that are generated from 5-digit hex values concatenated with a "Hitron" substring…
CVE-2023-49599 — CVSS 9.8 (critical): An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially…
CVE-2022-34294 — CVSS 9.8 (critical): totd 1.5.3 uses a fixed UDP source port in upstream queries sent to DNS resolvers. This allows DNS cache poisoning because there is not…
CVE-2021-41615 — CVSS 9.8 (critical): websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy because the nonce calculation relies on the hardcoded…
CVE-2021-22727 — CVSS 9.8 (critical): A CWE-331: Insufficient Entropy vulnerability exists in EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink…
CVE-2020-10285 — CVSS 9.8 (critical): The authentication implementation on the xArm controller has very low entropy, making it vulnerable to a brute-force attack. There is no…
CVE-2020-12735 — CVSS 9.8 (critical): reset.php in DomainMOD 4.13.0 uses insufficient entropy for password reset requests, leading to account takeover.
CVE-2018-1000620 — CVSS 9.8 (critical): Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result…
CVE-2008-2108 — CVSS 9.8 (critical): The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that…
CVE-2024-36400 — CVSS 9.4 (critical): nano-id is a unique string ID generator for Rust. Affected versions of the nano-id crate incorrectly generated IDs using a reduced…
CVE-2025-67504 — CVSS 9.1 (critical): WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's…
CVE-2024-3411 — CVSS 9.1 (critical): Implementations of IPMI Authenticated sessions does not provide enough randomness to protect from session hijacking, allowing an attacker…
CVE-2021-4238 — CVSS 9.1 (critical): Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeri…
CVE-2017-18883 — CVSS 9.1 (critical): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low…
CVE-2025-50122: A CWE-331: Insufficient Entropy vulnerability exists that could cause root password discovery when the password generation algorithm is…
CVE-2025-13399 — CVSS 8.8 (high): A weakness in the web interface’s application layer encryption in VX800v v1.0 allows an adjacent attacker to brute force the weak AES key…
CVE-2025-15387 — CVSS 8.8 (high): VPN Firewall developed by QNO Technology has a Insufficient Entropy vulnerability, allowing unauthenticated remote attackers to obtain any…
CVE-2022-37401 — CVSS 8.8 (high): Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are…
CVE-2026-4827: CWE‑331: Insufficient Entropy vulnerability exists that could lead to unauthorized access when an attacker on the network can exploit…
CVE-2026-2336: A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie…
CVE-2025-52464 — CVSS 8.3 (high): Meshtastic is an open source mesh networking solution. In versions from 2.5.0 to before 2.6.11, the flashing procedure of several hardware…
CVE-2023-46648 — CVSS 8.3 (high): An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user…
CVE-2022-31034 — CVSS 8.3 (high): Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a…
CVE-2026-34236 — CVSS 8.2 (high): Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built…
CVE-2023-37822 — CVSS 8.2 (high): The Eufy Homebase 2 before firmware version 3.3.4.1h creates a dedicated wireless network for its ecosystem, which serves as a proxy to the…
CVE-2014-8422 — CVSS 8.1 (high): The web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0…
CVE-2017-13992 — CVSS 8.1 (high): An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The application does not utilize sufficiently…
CVE-2024-6508 — CVSS 8.0 (high): An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the…
CVE-2025-1860 — CVSS 7.7 (high): Data::Entropy for Perl 0.007 and earlier use the rand() function as the default source of entropy, which is not cryptographically secure…
CVE-2012-4687 — CVSS 7.6 (high): Post Oak AWAM Bluetooth Reader Traffic System does not use a sufficient source of entropy for private keys, which makes it easier for…
CVE-2026-46473 — CVSS 7.5 (high): Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which…
CVE-2026-46474 — CVSS 7.5 (high): Trog::TOTP versions before 1.006 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is…
CVE-2026-7210 — CVSS 7.5 (high): `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML…
CVE-2026-22698 — CVSS 7.5 (high): RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing…
CVE-2025-29311 — CVSS 7.5 (high): Limited secret space in LLDP packets used in onos v2.7.0 allows attackers to obtain the private key via a bruteforce attack. Attackers are…
CVE-2024-53522 — CVSS 7.5 (high): Bangkok Medical Software HOSxP XE v4.64.11.3 was discovered to contain a hardcoded IDEA Key-IV pair in the HOSxPXE4.exe and HOS-WIN32.INI…
CVE-2018-9426 — CVSS 7.5 (high): In RsaKeyPairGenerator::getNumberOfIterations of RSAKeyPairGenerator.java, an incorrect implementation could cause weak RSA key pairs being…
CVE-2024-25407 — CVSS 7.5 (high): SteVe v3.6.0 was discovered to use predictable transaction ID's when receiving a StartTransaction request. This vulnerability can allow…
CVE-2023-31176 — CVSS 7.5 (high): An Insufficient Entropy vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow an unauthenticated remote attacker to…
CVE-2023-20107 — CVSS 7.5 (high): A vulnerability in the deterministic random bit generator (DRBG), also known as pseudorandom number generator (PRNG), in Cisco Adaptive…
CVE-2022-33756 — CVSS 7.5 (high): CA Automic Automation 12.2 and 12.3 contain an entropy weakness vulnerability in the Automic AutomationEngine that could allow a remote…
CVE-2021-36320 — CVSS 7.5 (high): Dell Networking X-Series firmware versions prior to 3.0.1.8 contain an authentication bypass vulnerability. A remote unauthenticated…
CVE-2020-25926 — CVSS 7.5 (high): The DNS client in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Insufficient entropy in the DNS transaction id. The impact is: DNS…