CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/06/05 7:49 p.m.•6 views

CVE-2026-5082

Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id. The generatesessionid function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand...

5.3CVSS5.4AI score0.00405EPSS

RedhatCVE•added 2026/06/05 7:49 p.m.•5 views

CVE-2026-5085

Solstice::Session versions through 1440 for Perl generates session ids insecurely. The generateSessionID method returns an MD5 digest seeded by the epoch time, a random hash reference, a call to the built-in rand function and the process id. The same method is used in the generateID method in...

9.1CVSS5.5AI score0.00339EPSS

RedhatCVE•added 2026/06/05 7:46 p.m.•5 views

CVE-2026-46473

Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage...

7.5CVSS5.4AI score0.00416EPSS

RedhatCVE•added 2026/06/05 7:20 p.m.•7 views

CVE-2026-41858

Weak Randomness / Insecure Cryptographic Primitive CWE-338 in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a small candidate list to recover the Administrator password. The randomizepassword job exists solely t...

7.5CVSS5.4AI score0.00245EPSS

RedhatCVE•added 2026/06/05 7:16 p.m.•7 views

CVE-2026-42155

Magento Long Term Support LTS is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, the XML-RPC / SOAP API session ID is generated using an outdated, time-based...

9.3CVSS5.5AI score0.00267EPSS

NVD•added 2026/06/04 3:16 a.m.•9 views

CVE-2026-41858

7.5CVSS0.00245EPSS

CVE•added 2026/06/04 2:10 a.m.•14 views

CVE-2026-41858

The CVE fixes a weakness in Get-RandomPassword within BOSH-Ecosystem’s windows-utilities-release. The password for the Administrator account is derived from a clock-seeded PRNG, allowing a network attacker who can estimate VM boot time to reconstruct a small candidate list and recover the Adminis...

ATTACKERKB•added 2026/06/04 2:10 a.m.•5 views

CVE-2026-41858

EUVD•added 2026/06/04 2:10 a.m.•10 views

EUVD-2026-34195

Cvelist•added 2026/06/04 2:10 a.m.•36 views

CVE-2026-41858

7.5CVSS0.00245EPSS

RedhatCVE•added 2026/06/04 12:13 a.m.•8 views

CVE-2026-8647

A flaw was found in perl-Crypt-ScryptKDF. The randombytes function in versions through 0.010 uses an insecure random number source when no cryptographically secure pseudorandom number generator CSPRNG module is available. This occurs because the function falls back to using the built-in rand...

4.8CVSS5.6AI score0.00222EPSS

Positive Technologies•added 2026/06/04 12:0 a.m.•11 views

PT-2026-46132

Cloud Foundry•added 2026/06/01 12:0 a.m.•4 views

CVE-2026-41858 - Brute forceable windows admin creds | Cloud Foundry

CVSS score: 6.5 Medium CVSS:3/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Vendor CloudFoundry Foundation Versions Affected Severity is HIGH unless otherwise noted. windows-utilities-release – All versions prior to v0.23.0 Description Weak Randomness / Insecure Cryptographic Primitive CWE-338 in...

Tenable Nessus•added 2026/06/01 12:0 a.m.•9 views

Exploits0

Fedora 44 : perl-Crypt-PasswdMD5 (2026-30d86fe986)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-30d86fe986 advisory. This update uses a cryptographically strong random number source rather than perl's rand function to generate random salt values when required CVE-2026-6659...

7.5CVSS5.8AI score0.00414EPSS

Vulnrichment•added 2026/05/27 8:6 p.m.•9 views

CVE-2026-47272 pam_usb: OTP pad authentication bypass via missing system pad check and uninitialized RNG buffer

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusbpadcompare function in src/pad.c only verified that the user-side pad /.pamusb/device.pad could be read, but did not enforce that the system-side pad the pad file on the USB device was also...

7.1CVSS5.9AI score0.00119EPSS

CVE•added 2026/05/27 8:6 p.m.•15 views

CVE-2026-47272

pam_usb for Linux allows local authentication bypass before version 0.9.0 due to pusb_pad_compare() only checking the user-side pad (~/.pamusb/device.pad) and not requiring the system-side pad on the USB device to be present. A local user can delete or obscure their own device.pad to bypass the U...

7.1CVSS5.9AI score0.00119EPSS

OSV•added 2026/05/27 3:1 p.m.•6 views

USN-8325-1 tgt vulnerability

It was discovered that tgt incorrectly tried to achieve entropy by calling rand without srand. An attacker could possibly use this issue to make tgt generate an identical sequence of challenges, resulting in authentication bypass...

5.9CVSS5.8AI score0.00547EPSS