CVE-2026-13082 (GCVE-0-2026-13082)

Vulnerability from cvelistv5 – Published: 2026-07-17 12:54 – Updated: 2026-07-17 17:29
VLAI
Title
GD::SecurityImage versions through 1.75 for Perl use rand to generate secrets
Summary
GD::SecurityImage versions through 1.75 for Perl use rand to generate secrets. The random method creates the challenge text used for the CAPTCHA by sampling characters from an array using Perl's built-in rand function, and generates a (by default) six-character string. The built-in rand function is unsuitable for security applications because it is predictable and reversible.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator
  • CWE-804 - Guessable CAPTCHA
Assigner
Impacted products
Vendor Product Version
BURAK GD::SecurityImage Affected: 0 , ≤ 1.75 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-13082",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-17T17:29:10.397745Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-17T17:29:23.536Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "GD-SecurityImage",
          "product": "GD::SecurityImage",
          "programFiles": [
            "lib/GD/SecurityImage.pm"
          ],
          "programRoutines": [
            {
              "name": "GD::SecurityImage::random"
            },
            {
              "name": "GD::SecurityImage::random_angle"
            },
            {
              "name": "GD::SecurityImage::particle"
            }
          ],
          "repo": "https://github.com/burak/CPAN-GD-SecurityImage",
          "vendor": "BURAK",
          "versions": [
            {
              "lessThanOrEqual": "1.75",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GD::SecurityImage versions through 1.75 for Perl use rand to generate secrets.\n\nThe random method creates the challenge text used for the CAPTCHA by sampling characters from an array using Perl\u0027s built-in rand function, and generates a (by default) six-character string.\n\nThe built-in rand function is unsuitable for security applications because it is predictable and reversible."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-338",
              "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-804",
              "description": "CWE-804 Guessable CAPTCHA",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-17T12:54:07.177Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "related"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-40916"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://security.metacpan.org/patches/G/GD-SecurityImage/1.75/CVE-2026-13082-r1.patch"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2018-12-24T00:00:00.000Z",
          "value": "Version 1.75 released."
        },
        {
          "lang": "en",
          "time": "2026-03-10T00:00:00.000Z",
          "value": "The git repository was archived."
        }
      ],
      "title": "GD::SecurityImage versions through 1.75 for Perl use rand to generate secrets",
      "workarounds": [
        {
          "lang": "en",
          "value": "GD::SecurityImage has not been updated since 2018, the module is flagged as ADOPTME on CPAN, and the git repository is archived as read-only, which prevents issues and pull requests from being created.\n\nUsers are advised to find an alternative solution.\n\nFor users who are unable to migrate to an alternative, install Crypt::URandom::MonkeyPatch (which will override the built-in rand with a wrapper around Crypt::URandom) and apply the patch."
        }
      ],
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-13082",
    "datePublished": "2026-07-17T12:54:07.177Z",
    "dateReserved": "2026-06-23T18:17:08.243Z",
    "dateUpdated": "2026-07-17T17:29:23.536Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-13082",
      "date": "2026-07-19",
      "epss": "0.00216",
      "percentile": "0.11989"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-13082\",\"sourceIdentifier\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"published\":\"2026-07-17T13:17:55.443\",\"lastModified\":\"2026-07-17T18:17:14.137\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GD::SecurityImage versions through 1.75 for Perl use rand to generate secrets.\\n\\nThe random method creates the challenge text used for the CAPTCHA by sampling characters from an array using Perl\u0027s built-in rand function, and generates a (by default) six-character string.\\n\\nThe built-in rand function is unsuitable for security applications because it is predictable and reversible.\"}],\"affected\":[{\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"affectedData\":[{\"vendor\":\"BURAK\",\"product\":\"GD::SecurityImage\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://cpan.org/modules\",\"packageName\":\"GD-SecurityImage\",\"programFiles\":[\"lib/GD/SecurityImage.pm\"],\"programRoutines\":[{\"name\":\"GD::SecurityImage::random\"},{\"name\":\"GD::SecurityImage::random_angle\"},{\"name\":\"GD::SecurityImage::particle\"}],\"repo\":\"https://github.com/burak/CPAN-GD-SecurityImage\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"1.75\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-17T17:29:10.397745Z\",\"id\":\"CVE-2026-13082\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-338\"},{\"lang\":\"en\",\"value\":\"CWE-804\"}]}],\"references\":[{\"url\":\"https://security.metacpan.org/patches/G/GD-SecurityImage/1.75/CVE-2026-13082-r1.patch\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\"},{\"url\":\"https://www.cve.org/CVERecord?id=CVE-2025-40916\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\"}]}}",
    "redhat_vex": {
      "current_release_date": "2026-07-18T14:31:13+00:00",
      "cve": "CVE-2026-13082",
      "id": "CVE-2026-13082",
      "initial_release_date": "2026-07-17T12:54:07.177000+00:00",
      "product_status:known_not_affected": "1",
      "source": "Red Hat CSAF VEX",
      "status": "final",
      "title": "perl-GD-SecurityImage: the rand function is used to generate secrets",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-13082.json",
      "version": "3"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-13082\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-17T17:29:10.397745Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-17T17:29:03.597Z\"}}], \"cna\": {\"title\": \"GD::SecurityImage versions through 1.75 for Perl use rand to generate secrets\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"affected\": [{\"repo\": \"https://github.com/burak/CPAN-GD-SecurityImage\", \"vendor\": \"BURAK\", \"product\": \"GD::SecurityImage\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.75\"}], \"packageName\": \"GD-SecurityImage\", \"programFiles\": [\"lib/GD/SecurityImage.pm\"], \"collectionURL\": \"https://cpan.org/modules\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"GD::SecurityImage::random\"}, {\"name\": \"GD::SecurityImage::random_angle\"}, {\"name\": \"GD::SecurityImage::particle\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2018-12-24T00:00:00.000Z\", \"value\": \"Version 1.75 released.\"}, {\"lang\": \"en\", \"time\": \"2026-03-10T00:00:00.000Z\", \"value\": \"The git repository was archived.\"}], \"references\": [{\"url\": \"https://www.cve.org/CVERecord?id=CVE-2025-40916\", \"tags\": [\"related\"]}, {\"url\": \"https://security.metacpan.org/patches/G/GD-SecurityImage/1.75/CVE-2026-13082-r1.patch\", \"tags\": [\"patch\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"GD::SecurityImage has not been updated since 2018, the module is flagged as ADOPTME on CPAN, and the git repository is archived as read-only, which prevents issues and pull requests from being created.\\n\\nUsers are advised to find an alternative solution.\\n\\nFor users who are unable to migrate to an alternative, install Crypt::URandom::MonkeyPatch (which will override the built-in rand with a wrapper around Crypt::URandom) and apply the patch.\"}], \"x_generator\": {\"engine\": \"cpansec-cna-tool 0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"GD::SecurityImage versions through 1.75 for Perl use rand to generate secrets.\\n\\nThe random method creates the challenge text used for the CAPTCHA by sampling characters from an array using Perl\u0027s built-in rand function, and generates a (by default) six-character string.\\n\\nThe built-in rand function is unsuitable for security applications because it is predictable and reversible.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-338\", \"description\": \"CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-804\", \"description\": \"CWE-804 Guessable CAPTCHA\"}]}], \"providerMetadata\": {\"orgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"shortName\": \"CPANSec\", \"dateUpdated\": \"2026-07-17T12:54:07.177Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-13082\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-17T17:29:23.536Z\", \"dateReserved\": \"2026-06-23T18:17:08.243Z\", \"assignerOrgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"datePublished\": \"2026-07-17T12:54:07.177Z\", \"assignerShortName\": \"CPANSec\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…