CVEs classified under CWE-338, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-56141 — CVSS 9.8 (critical): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 account takeover via…
CVE-2026-3256 — CVSS 9.8 (critical): HTTP::Session versions before 0.54 for Perl defaults to using insecurely generated session ids. HTTP::Session defaults to using…
CVE-2025-15604 — CVSS 9.8 (critical): Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions. In versions 6.06 through 6.16, the…
CVE-2025-40926 — CVSS 9.8 (critical): Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely. The default session id generator returns…
CVE-2026-2439 — CVSS 9.8 (critical): Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in…
CVE-2025-15578 — CVSS 9.8 (critical): Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time (which is…
CVE-2025-68932 — CVSS 9.8 (critical): FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators…
CVE-2025-59390 — CVSS 9.8 (critical): Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret`…
CVE-2025-7394 — CVSS 9.8 (critical): In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for…
CVE-2025-3495 — CVSS 9.8 (critical): Delta Electronics COMMGR v1 and v2 uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute…
CVE-2024-40762 — CVSS 9.8 (critical): Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain…
CVE-2023-36993 — CVSS 9.8 (critical): The cryptographically insecure random number generator being used in TravianZ 8.3.4 and 8.3.3 in the password reset function allows an…
CVE-2022-44796 — CVSS 9.8 (critical): An issue was discovered in Object First Ootbi BETA build 1.0.7.712. The authorization service has a flow that allows getting access to the…
CVE-2011-4574 — CVSS 9.8 (critical): PolarSSL versions prior to v1.1 use the HAVEGE random number generation algorithm. At its heart, this uses timing information based on the…
CVE-2021-3538 — CVSS 9.8 (critical): A flaw was found in github.com/satori/go.uuid in versions from commit 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7…
CVE-2020-28642 — CVSS 9.8 (critical): In InfiniteWP Admin Panel before 3.1.12.3, resetPasswordSendMail generates a weak password-reset code, which makes it easier for remote…
CVE-2019-16303 — CVSS 9.8 (critical): A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of…
CVE-2017-18021 — CVSS 9.8 (critical): It was discovered that QtPass before 1.2.1, when using the built-in password generator, generates possibly predictable and enumerable…
CVE-2009-2367 — CVSS 9.8 (critical): cgi-bin/makecgi-pro in Iomega StorCenter Pro generates predictable session IDs, which allows remote attackers to hijack active sessions and…
CVE-2025-66630 — CVSS 9.4 (critical): Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand…
CVE-2025-54883: Vision UI is a collection of enterprise-grade, dependency-free modules for modern web projects. In versions 1.4.0 and below, the…
CVE-2026-7874 — CVSS 9.1 (critical): IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key…
CVE-2026-9733 — CVSS 9.1 (critical): Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is…
CVE-2026-11832 — CVSS 9.1 (critical): Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce. The default nonce was generated using an MD5…
CVE-2026-47372 — CVSS 9.1 (critical): Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. These versions use the built-in rand function…
CVE-2026-5085 — CVSS 9.1 (critical): Solstice::Session versions through 1440 for Perl generates session ids insecurely. The _generateSessionID method returns an MD5 digest…
CVE-2025-15618 — CVSS 9.1 (critical): Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key. Business::OnlinePayment::StoredTransa…
CVE-2024-57854 — CVSS 9.1 (critical): Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator. Version v0.003 switched to use…
CVE-2025-40931 — CVSS 9.1 (critical): Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session…
CVE-2024-58041 — CVSS 9.1 (critical): Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions. Smolder 1.51 and earlier for Perl uses…
CVE-2025-40925 — CVSS 9.1 (critical): Starch versions 0.14 and earlier generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with a…
CVE-2025-40916 — CVSS 9.1 (critical): Mojolicious::Plugin::CaptchaPNG version 1.05 for Perl uses a weak random number source for generating the captcha. That version uses the…
CVE-2025-32755 — CVSS 9.1 (critical): In jenkins/ssh-slave Docker images based on Debian, SSH host keys are generated on image creation for images based on Debian, causing all…
CVE-2025-32754 — CVSS 9.1 (critical): In jenkins/ssh-agent Docker images 6.11.1 and earlier, SSH host keys are generated on image creation for images based on Debian, causing…
CVE-2024-29868 — CVSS 9.1 (critical): Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password…
CVE-2022-35255 — CVSS 9.1 (critical): A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGe…
CVE-2018-16115 — CVSS 9.1 (critical): Lightbend Akka 2.5.x before 2.5.16 allows message disclosure and modification because of an RNG error. A random number generator is used in…
CVE-2022-36045 — CVSS 9.0 (critical): NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for…
CVE-2026-14495 — CVSS 8.8 (high): The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and…
CVE-2025-1796 — CVSS 8.8 (high): A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts, by exploiting a…
CVE-2025-1828 — CVSS 8.8 (high): Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions…
CVE-2022-26943 — CVSS 8.8 (high): The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy…
CVE-2022-45782 — CVSS 8.8 (high): An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation…
CVE-2017-8081 — CVSS 8.8 (high): Poor cryptographic salt initialization in admin/inc/template_functions.php in GetSimple CMS 3.3.13 allows a network attacker to escalate…
CVE-2025-40920 — CVSS 8.6 (high): Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. *…
CVE-2021-43799 — CVSS 8.6 (high): Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server…
CVE-2023-28395 — CVSS 8.3 (high): Osprey Pump Controller version 1.01 is vulnerable to a weak session token generation algorithm that can be predicted and can aid in…
CVE-2013-20003 — CVSS 8.3 (high): Z-Wave devices from Sierra Designs (circa 2013) and Silicon Labs (using S0 security) may use a known, shared network key of all zeros…
CVE-2025-40932 — CVSS 8.2 (high): Apache::SessionX versions through 2.01 for Perl create insecure session id. Apache::SessionX generates session ids insecurely. The default…