Back to overview

CVE-2026-13082

MEDIUM
5.3
CVSS 3.1
Description
GD::SecurityImage versions through 1.75 for Perl use rand to generate secrets. The random method creates the challenge text used for the CAPTCHA by sampling characters from an array using Perl's built-in rand function, and generates a (by default) six-character string. The built-in rand function is unsuitable for security applications because it is predictable and reversible.

Metadata

CVE ID
CVE-2026-13082
State
PUBLISHED
Assigner
CPANSec
Reserved
2026-06-23 18:17 UTC
Published
2026-07-17 12:54 UTC
Last updated
2026-07-17 17:29 UTC
Primary CWE
CWE-338
CWE-338 Use of Cryptographically Weak Pseudo-Random Number G…
Vendor / Product
BURAK / GD::SecurityImage
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
BURAK GD::SecurityImage 0 ≤ 1.75
Weakness (CWE)
CWESourceDescription
CWE-338 cna CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
CWE-804 cna CWE-804 Guessable CAPTCHA
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 3.1 adp CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Back to overview