CVE-2025-15578 | Maypole versions from 2.10 through 2.13 for Perl generates s… | CVSS 9.8 CRITICAL

Description

Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time (which is available from HTTP response headers), a call to the built-in rand() function, and the PID.

Metadata

CVE ID: CVE-2025-15578
State: PUBLISHED
Assigner: CPANSec
Reserved: 2026-02-12 23:45 UTC
Published: 2026-02-16 21:18 UTC
Last updated: 2026-02-17 14:46 UTC
Primary CWE: CWE-338
CWE-338 Use of Cryptographically Weak Pseudo-Random Number G…
Vendor / Product: TEEJAY / Maypole
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
TEEJAY	Maypole	—	2.10 ≤ 2.13

Weakness (CWE)

CWE	Source	Description
CWE-338	cna	CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

https://metacpan.org/dist/Maypole/source/lib/Maypole/Session.pm#L43