CVE-2025-6515 Reuse of session IDs in oatpp-mcp leads to session hijacking and prompt hijacking by remote attackers

The MCP SSE endpoint in oatpp-mcp returns an instance pointer as the session ID, which is not unique nor cryptographically secure. This allows network attackers with access to the oatpp-mcp server to guess future session IDs and hijack legitimate client MCP sessions, returning malicious responses...

EUVD-2022-6591

Malicious code in bioql PyPI...

DEBIAN-CVE-2025-1860

Data::Entropy for Perl 0.007 and earlier use the rand function as the default source of entropy, which is not cryptographically secure, for cryptographic functions...

GHSA-8XHV-GQM4-3W99 ZendFramework1 Potential Insufficient Entropy Vulnerability

We discovered several methods used to generate random numbers in ZF1 that potentially used insufficient entropy. These random number generators are used in the following method calls: ZendLdapAttribute::createPassword ZendFormElementHash::generateHash ZendGdataHttpClient::filterHttpRequest...

CVE-2023-36993

The cryptographically insecure random number generator being used in TravianZ 8.3.4 and 8.3.3 in the password reset function allows an attacker to guess the password reset.parameters and to take over accounts...

Design/Logic Flaw

Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users or everyone if it allows self-registration may exploit this to elevate privilege to...

CVE-2022-36045

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. utils.generateUUID, a helper function available in essentially all versions of NodeBB as far back as v1.0.1 and...

CVE-2021-22948

Vulnerability in the generation of session IDs in revive-adserver 5.3.0, based on the cryptographically insecure uniqid PHP function. Under some circumstances, an attacker could theoretically be able to brute force session IDs in order to take over a specific account...

Insecure Random Number Generator

magento/community-edition uses an insecure random number generator. The application uses a cryptographically insecure PHP rand function to generate a random number for the initialization vector, making it easier for remote attackers to defeat cryptographic protection mechanisms...

Gratipay: Gratipay uses the random module's cryptographically insecure PRNG.

Dear Gratipay bug bounty team, Summary --- Gratipay currently uses the random module's pseudo-random number generator which is not a cryptographically secure PRNG as stated in the docs: The pseudo-random generators of this module should not be used for security purposes. For security or...

phpMyAdmin 4.0.x < 4.0.10.13 / 4.4.x < 4.4.15.3 / 4.5.x < 4.5.4 Multiple Vulnerabilities (PMASA-2016-1 - PMASA-2016-5)

Binary data 9115.prm...

phpMyAdmin 4.0.x < 4.0.10.13 / 4.4.x < 4.4.15.3 / 4.5.x < 4.5.4 Multiple Vulnerabilities (PMASA-2016-1 - PMASA-2016-5)

According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 4.0.10.13, 4.4.x prior to 4.4.15.3, or 4.5.x prior to 4.5.4. It is, therefore, affected by the following vulnerabilities : - A security bypass vulnerability exists due to th...