CVE-2025-15578 PUBLISHED

Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely

Assigner: CPANSec
Reserved: 12.02.2026 Published: 16.02.2026 Updated: 17.02.2026

Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time (which is available from HTTP response headers), a call to the built-in rand() function, and the PID.

Product Status

Vendor	TEEJAY
Product	Maypole
Versions	Default: unaffected affected from 2.10 to 2.13 (incl.)

Credits

Robert Rothenberg finder

References

https://metacpan.org/dist/Maypole/source/lib/Maypole/Session.pm#L43

Problem Types

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE