CWE-338 · Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
191 CVEs classified under CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-56141 | Critical | 9.8 | 2026-06-19 | In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 account takeover via predictable restore codes… |
CVE-2026-3256 | Critical | 9.8 | 2026-03-28 | HTTP::Session versions before 0.54 for Perl defaults to using insecurely generated session ids. HTTP::Session defaults to using HTTP::Session::ID::SHA1 to gen… |
CVE-2025-15604 | Critical | 9.8 | 2026-03-28 | Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions. In versions 6.06 through 6.16, the random_string func… |
CVE-2025-40926 | Critical | 9.8 | 2026-03-05 | Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seede… |
CVE-2026-2439 | Critical | 9.8 | 2026-02-16 | Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defa… |
CVE-2025-15578 | Critical | 9.8 | 2026-02-16 | Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time (which is available from HTTP… |
CVE-2025-68932 | Critical | 9.8 | 2025-12-27 | FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid(… |
CVE-2025-66565 | Critical | 9.8 | 2025-12-09 | Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (c… |
CVE-2025-59390 | Critical | 9.8 | 2025-11-26 | Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not expli… |
CVE-2025-7394 | Critical | 9.8 | 2025-07-18 | In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values re… |
CVE-2025-3495 | Critical | 9.8 | 2025-04-16 | Delta Electronics COMMGR v1 and v2 uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID a… |
CVE-2024-40762 | Critical | 9.8 | 2025-01-09 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predict… |
CVE-2023-36993 | Critical | 9.8 | 2023-07-07 | The cryptographically insecure random number generator being used in TravianZ 8.3.4 and 8.3.3 in the password reset function allows an attacker to guess the pa… |
CVE-2023-2884 | Critical | 9.8 | 2023-05-25 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Use of Insufficiently Random Values vulnerability in CBOT Chatbot allows Signature Spoofin… |
CVE-2022-44796 | Critical | 9.8 | 2022-11-07 | An issue was discovered in Object First Ootbi BETA build 1.0.7.712. The authorization service has a flow that allows getting access to the Web UI without knowi… |
CVE-2011-4574 | Critical | 9.8 | 2021-10-27 | PolarSSL versions prior to v1.1 use the HAVEGE random number generation algorithm. At its heart, this uses timing information based on the processor's high res… |
CVE-2021-3538 | Critical | 9.8 | 2021-06-02 | A flaw was found in github.com/satori/go.uuid in versions from commit 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7daf2b8e1d60c45. Due… |
CVE-2019-14480 | Critical | 9.8 | 2020-12-16 | AdRem NetCrunch 10.6.0.4587 has an Improper Session Handling vulnerability in the NetCrunch web client, which can lead to an authentication bypass or escalatio… |
CVE-2020-28642 | Critical | 9.8 | 2020-11-16 | In InfiniteWP Admin Panel before 3.1.12.3, resetPasswordSendMail generates a weak password-reset code, which makes it easier for remote attackers to conduct ad… |
CVE-2015-9435 | Critical | 9.8 | 2019-09-26 | The oauth2-provider plugin before 3.1.5 for WordPress has incorrect generation of random numbers. |