CVE-2018-25160

CVE-2018-25160: HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend

Vendor Tokuhirom

Product HTTP::Session2

Weakness CWE-20 · Input validation

Published February 27, 2026

Last update March 3, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject memcached commands in the session id value.

Key dates

02Disclosure timeline

February 27, 2026 CVE published

March 3, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2018-25160 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2018-25160: HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend

01Description

02Disclosure timeline

03References

04Related CVE