{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6659", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-04-20T08:24:35.812Z", "datePublished": "2026-05-08T17:17:01.357Z", "dateUpdated": "2026-05-26T22:52:31.427Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Crypt-PasswdMD5", "product": "Crypt::PasswdMD5", "programFiles": ["lib/Crypt/PasswdMD5.pm"], "programRoutines": [{"name": "Crypt::PasswdMD5::random_md5_salt"}], "repo": "https://github.com/ronsavage/Crypt-PasswdMD5", "vendor": "RSAVAGE", "versions": [{"lessThanOrEqual": "1.42", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts.\n\nThe built-in rand function is predictable, and unsuitable for cryptography."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-05-26T22:52:31.427Z"}, "references": [{"tags": ["release-notes"], "url": "https://metacpan.org/release/RSAVAGE/Crypt-PasswdMD5-1.43/changes"}, {"tags": ["issue-tracking"], "url": "https://github.com/ronsavage/Crypt-PasswdMD5/pull/3"}, {"tags": ["patch"], "url": "https://github.com/ronsavage/Crypt-PasswdMD5/commit/a2f821637db0296082297aa4b02254ab08f0dc5e.patch"}, {"url": "https://metacpan.org/release/RSAVAGE/Crypt-PasswdMD5-1.42/source/lib/Crypt/PasswdMD5.pm#L35-47"}], "solutions": [{"lang": "en", "value": "Upgrade to version 1.43 or later."}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2026-04-14T00:00:00.000Z", "value": "Issue reported to CPANSec"}, {"lang": "en", "time": "2026-04-20T00:00:00.000Z", "value": "Maintainer notified"}, {"lang": "en", "time": "2026-05-08T00:00:00.000Z", "value": "Vulnerability published"}, {"lang": "en", "time": "2026-05-23T00:00:00.000Z", "value": "Version 1.43 with fix uploaded to CPAN"}], "title": "Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts", "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-05-08T18:01:59.977528Z", "id": "CVE-2026-6659", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-08T18:04:17.941Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/08/17"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-08T19:30:59.696Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/08/17"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-08T19:30:59.696Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6659", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-08T18:01:59.977528Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-08T18:03:26.899Z"}}], "cna": {"title": "Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts", "source": {"discovery": "UNKNOWN"}, "affected": [{"repo": "https://github.com/ronsavage/Crypt-PasswdMD5", "vendor": "RSAVAGE", "product": "Crypt::PasswdMD5", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.42"}], "packageName": "Crypt-PasswdMD5", "programFiles": ["lib/Crypt/PasswdMD5.pm"], "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "programRoutines": [{"name": "Crypt::PasswdMD5::random_md5_salt"}]}], "timeline": [{"lang": "en", "time": "2026-04-14T00:00:00.000Z", "value": "Issue reported to CPANSec"}, {"lang": "en", "time": "2026-04-20T00:00:00.000Z", "value": "Maintainer notified"}, {"lang": "en", "time": "2026-05-08T00:00:00.000Z", "value": "Vulnerability published"}, {"lang": "en", "time": "2026-05-23T00:00:00.000Z", "value": "Version 1.43 with fix uploaded to CPAN"}], "solutions": [{"lang": "en", "value": "Upgrade to version 1.43 or later."}], "references": [{"url": "https://metacpan.org/release/RSAVAGE/Crypt-PasswdMD5-1.43/changes", "tags": ["release-notes"]}, {"url": "https://github.com/ronsavage/Crypt-PasswdMD5/pull/3", "tags": ["issue-tracking"]}, {"url": "https://github.com/ronsavage/Crypt-PasswdMD5/commit/a2f821637db0296082297aa4b02254ab08f0dc5e.patch", "tags": ["patch"]}, {"url": "https://metacpan.org/release/RSAVAGE/Crypt-PasswdMD5-1.42/source/lib/Crypt/PasswdMD5.pm#L35-47"}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}, "descriptions": [{"lang": "en", "value": "Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts.\n\nThe built-in rand function is predictable, and unsuitable for cryptography."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-05-26T22:52:31.427Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6659", "state": "PUBLISHED", "dateUpdated": "2026-05-26T22:52:31.427Z", "dateReserved": "2026-04-20T08:24:35.812Z", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "datePublished": "2026-05-08T17:17:01.357Z", "assignerShortName": "CPANSec"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Crypt-PasswdMD5", "product": "Crypt::PasswdMD5", "programFiles": ["lib/Crypt/PasswdMD5.pm"], "programRoutines": [{"name": "Crypt::PasswdMD5::random_md5_salt"}], "repo": "https://github.com/ronsavage/Crypt-PasswdMD5", "vendor": "RSAVAGE", "versions": [{"lessThanOrEqual": "1.42", "status": "affected", "version": "0", "versionType": "custom"}]}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts.\n\nThe built-in rand function is predictable, and unsuitable for cryptography."}], "id": "CVE-2026-6659", "lastModified": "2026-06-17T11:01:09.840", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-6659", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "role": "CISA Coordinator", "timestamp": "2026-05-08T18:01:59.977528Z", "version": "2.0.3"}}]}, "published": "2026-05-08T18:16:34.183", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://github.com/ronsavage/Crypt-PasswdMD5/commit/a2f821637db0296082297aa4b02254ab08f0dc5e.patch"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://github.com/ronsavage/Crypt-PasswdMD5/pull/3"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://metacpan.org/release/RSAVAGE/Crypt-PasswdMD5-1.42/source/lib/Crypt/PasswdMD5.pm#L35-47"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://metacpan.org/release/RSAVAGE/Crypt-PasswdMD5-1.43/changes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/05/08/17"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{"bugzilla": {"description": "Crypt::PasswdMD5: Perl: Crypt::PasswdMD5: Weak cryptographic salts due to predictable random number generation", "id": "2468316", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468316"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-338", "details": ["A flaw was found in Crypt::PasswdMD5 for Perl. This component generates insecure random values for cryptographic salts, which are used to strengthen password hashes. The built-in `rand` function, used for generating these salts, is predictable and not suitable for cryptographic purposes. This vulnerability could allow an attacker to more easily crack password hashes, potentially leading to unauthorized access or information disclosure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-6659", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "perl", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "perl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "perl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "perl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "perl:5.32/perl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "perl", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-05-08T17:17:01Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6659\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6659\nhttps://metacpan.org/release/RSAVAGE/Crypt-PasswdMD5-1.42/source/lib/Crypt/PasswdMD5.pm#L35-47"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.42]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Crypt::PasswdMD5", "source": "cna", "vendor": "RSAVAGE"}, "product": "crypt::passwdmd5", "vendor": "rsavage"}], "created": "2026-05-08T19:45:15.201008+00:00", "updated": "2026-05-10T21:25:01.081686+00:00", "vendors": ["rsavage", "rsavage$PRODUCT$crypt::passwdmd5"]}