Unrated severityNVD Advisory· Published Feb 27, 2026· Updated Mar 3, 2026

HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend

CVE-2018-25160

Description

HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend.

For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject memcached commands in the session id value.

Affected products

Ktat/HTTP::Sessionllm-fuzzy
Range: <= 1.09
TOKUHIROM/HTTP::Session2v5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/tokuhirom/HTTP-Session2/commit/813838f6d08034b6a265a70e53b59b941b5d3e6d.patchmitrepatch
metacpan.org/pod/Cache::Memcached::Fast::Safemitrerelated
metacpan.org/release/TOKUHIROM/HTTP-Session2-1.10/source/Changesmitrerelease-notes

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000