Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Perl HTTP::Session2 versions 1.09 and below allow session ID tampering
CVE-2018-25160
Summary
If you use Perl's HTTP::Session2 for session management, a hacker could manipulate session IDs to inject malicious commands, potentially allowing them to access your users' data or take control of your system. This is a critical issue because it could lead to unauthorized access or data breaches. To protect your system, update to a version of HTTP::Session2 that fixes this issue as soon as possible.
Original title
HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend.
For example, if an ap...
Original description
HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend.
For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject memcached commands in the session id value.
For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject memcached commands in the session id value.
nvd CVSS3.1
6.5
Vulnerability type
CWE-20
Improper Input Validation
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026