CVE-2018-25160

6.5 MEDIUM
Published: February 27, 2026 Modified: March 18, 2026
View on NVD

Description

HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject memcached commands in the session id value.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/tokuhirom/HTTP-Session2/commit/813838f6d08034b6a265a70e53b59b941b5d3e6d.patch
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Patch
https://metacpan.org/pod/Cache::Memcached::Fast::Safe
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Third Party Advisory
https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.10/source/Changes
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Product Release Notes
http://www.openwall.com/lists/oss-security/2026/02/27/13
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.5 / 10.0
EPSS (Exploit Probability)
0.0%
3th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-20

Affected Vendors

tokuhirom

Related CVEs

CVE-2026-4514 6.3
CVE-2026-4513 6.3
CVE-2026-4511 6.3
CVE-2026-4510 4.3
CVE-2026-4373 7.5