Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-340 (可预测问题) — Vulnerability Class 36

36 vulnerabilities classified as CWE-340 (可预测问题). AI Chinese analysis included.

CWE-340 represents a critical weakness where software generates numbers or identifiers with insufficient entropy, making them predictable to attackers. This flaw typically arises when developers rely on basic pseudo-random number generators or sequential counters for security-sensitive contexts like session tokens, cryptographic keys, or access controls. Attackers exploit this by analyzing patterns or brute-forcing the predictable sequence to hijack user sessions, escalate privileges, or bypass authentication mechanisms entirely. To mitigate this risk, developers must employ cryptographically secure pseudo-random number generators (CSPRNGs) that provide high entropy and resistance to prediction. Additionally, avoiding sequential identifiers for security purposes and implementing proper randomness seeding are essential practices. By ensuring that generated values are statistically random and unpredictable, organizations can significantly reduce the attack surface associated with identifier guessing and maintain the integrity of their security controls.

MITRE CWE Description
The product uses a scheme that generates numbers or identifiers that are more predictable than required.
Common Consequences (1)
OtherVaries by Context
Examples (1)
This code generates a unique random identifier for a user's session.
function generateSessionID($userID){ srand($userID); return rand(); }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-5084 WebDyne::Session versions through 2.075 for Perl generates the session id insecurely — WebDyne::Session 9.1AICriticalAI2026-05-11
CVE-2026-5081 Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure — Apache::Session::Generate::ModUniqueId 9.1AICriticalAI2026-05-06
CVE-2026-5080 Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely — Dancer::Session::Abstract 7.5 -2026-04-30
CVE-2026-5085 Solstice::Session versions through 1440 for Perl generates session ids insecurely — Solstice::Session 7.5 -2026-04-13
CVE-2026-5083 Ado::Sessions versions through 0.935 for Perl generates insecure session ids — Ado::Sessions 9.1AICriticalAI2026-04-08
CVE-2026-5082 Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id — Amon2::Plugin::Web::CSRFDefender 7.5AIHighAI2026-04-08
CVE-2026-28810 Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver — OTP 5.0AIMediumAI2026-04-07
CVE-2025-13044 Multiple Vulnerabilities in IBM Concert Software — Concert 6.2 Medium2026-04-07
CVE-2026-3256 HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids — HTTP::Session 5.9 -2026-03-28
CVE-2025-15604 Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions — Amon2 5.9 -2026-03-28
CVE-2026-4269 Improper S3 ownership verification in Bedrock AgentCore Starter Toolkit — Bedrock AgentCore Starter Toolkit 7.5 High2026-03-16
CVE-2025-40931 Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id — Apache::Session::Generate::MD5 9.8 -2026-03-05
CVE-2025-40926 Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely — Plack::Middleware::Session::Simple 9.8 -2026-03-05
CVE-2026-3255 HTTP::Session2 versions before 1.12 for Perl may generate weak session ids using the rand() function — HTTP::Session2 3.7 -2026-02-27
CVE-2025-40932 Apache::SessionX versions through 2.01 for Perl create insecure session id — Apache::SessionX 9.8AICriticalAI2026-02-26
CVE-2026-2473 Bucket Squatting in Vertex AI Experiments leads to RCE and Model Theft. — Vertex AI Experiments 9.8AICriticalAI2026-02-20
CVE-2026-2439 Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids — Concierge::Sessions 7.5AIHighAI2026-02-16
CVE-2025-69286 RAGFlow has Predictable Token Generation Leading to Authentication Bypass Vulnerability — ragflow 9.8 -2025-12-31
CVE-2025-62294 Predictable Generation of Password Recovery Token — SOPlanning 9.8 -2025-11-20
CVE-2025-58424 BIG-IP TMM vulnerability — BIG-IP 5.3 Medium2025-10-15
CVE-2025-3449 Weak Session Token used in Automation Runtime SDM — Automation Runtime 4.2 Medium2025-10-07
CVE-2025-59452 YoSmart YoLink API 安全漏洞 — YoLink API 5.8 Medium2025-10-06
CVE-2025-40925 Starch versions 0.14 and earlier generate session ids insecurely — Starch 9.8AICriticalAI2025-09-20
CVE-2025-40933 Apache::AuthAny::Cookie v0.201 or earlier for Perl generates session ids insecurely — Apache::AuthAny 9.1AICriticalAI2025-09-17
CVE-2025-40920 Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl use insecurely generated nonces — Catalyst::Authentication::Credential::HTTP 7.4AIHighAI2025-08-11
CVE-2025-40924 Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely — Catalyst::Plugin::Session 9.8AICriticalAI2025-07-17
CVE-2025-40919 Authen::DigestMD5 versions 0.01 through 0.04 for Perl generate the cnonce insecurely — Authen::DigestMD5 7.5AIHighAI2025-07-16
CVE-2025-40918 Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely — Authen::SASL::Perl::DIGEST_MD5 5.3 -2025-07-16
CVE-2025-40923 Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely — Plack::Middleware::Session 9.8AICriticalAI2025-07-16
CVE-2024-10603 Google gVisor 安全漏洞 — gVisor--2025-01-30

Vulnerabilities classified as CWE-340 (可预测问题) represent 36 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.