CVE-2026-9323 Insecure PRNG and Information Exposure in urwid Web Display Backend
The urwid web display backend urwid/display/web.py generates web session identifiers urwidid in Screen.start by concatenating two random.randrange109 calls that use Python's Mersenne Twister PRNG, which is not cryptographically secure. Each call consumes approximately 30 bits of PRNG state, and t...