Home

Description

Trog::TOTP versions before 1.006 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.

PUBLISHED Reserved 2026-05-14 | Published 2026-05-15 | Updated 2026-05-18 | Assigner CPANSec

Problem types

CWE-331 Insufficient Entropy

Product status

Default status
unaffected

Any version before 1.006
affected

Timeline

2026-05-13:CPANSec identified issue
2026-05-14:Author was notified
2026-05-15:Version 1.006 released.

References

www.openwall.com/lists/oss-security/2026/05/15/18

metacpan.org/release/TEODESIAN/Trog-TOTP-1.006/changes release-notes

metacpan.org/...og-TOTP-1.006/diff/TEODESIAN/Trog-TOTP-1.005

cve.org (CVE-2026-46474)

nvd.nist.gov (CVE-2026-46474)

Download JSON