CWE-340: Generation of Predictable Numbers or Identifiers
The product uses a scheme that generates numbers or identifiers that are more predictable than required.
Last updated
Overview
CWE-340 (Generation of Predictable Numbers or Identifiers) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
38 recorded CVEs are caused by CWE-340 (Generation of Predictable Numbers or Identifiers). The highest-severity and most recent are shown first. 19 new CWE-340 CVEs have been recorded so far in 2026 (13 in 2025).
- CVE-2026-3256
HTTP::Session versions before 0.54 for Perl defaults to using insecurely generated session ids
Critical · CVSS 9.8 · EPSS 41th2026-03-28 - CVE-2025-40926
Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely
Critical · CVSS 9.8 · EPSS 35th2026-03-05 - CVE-2024-47945
Predictable Session ID
Critical · CVSS 9.8 · EPSS 54th