CWE-331— Insufficient Entropy
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.— MITRE CWE catalog
125 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-331page 3 of 3
- CVE-2025-32898MEDIUMCVSS 4.7EG 4.72025-12-05
The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on…
- CVE-2025-47781CRITICALCVSS 9.8EG 9.82025-05-14
Rallly is an open-source scheduling and collaboration tool. Versions up to and including 3.22.1 of the application features token based authentication. When a user attempts to login to the application, they insert their email and a 6 digit…
- CVE-2025-50122HIGHCVSS 8.9EG 8.32025-07-11
A CWE-331: Insufficient Entropy vulnerability exists that could cause root password discovery when the password generation algorithm is reverse engineered with access to installation or upgrade artifacts.
- CVE-2025-52464HIGHCVSS 8.3EG 8.32025-06-19
Meshtastic is an open source mesh networking solution. In versions from 2.5.0 to before 2.6.11, the flashing procedure of several hardware vendors was resulting in duplicated public/private keys. Additionally, the Meshtastic was failing to…
- CVE-2025-54885MEDIUMCVSS 6.9EG 6.92025-08-07
Thinbus Javascript Secure Remote Password is a browser SRP6a implementation for zero-knowledge password authentication. In versions 2.0.0 and below, a protocol compliance bug causes the client to generate a fixed 252 bits of entropy instea…
- CVE-2025-59015MEDIUMCVSS 6.5EG 6.52025-09-09
A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.
- CVE-2025-62774LOWCVSS 3.1EG 3.12025-10-22
On Mercku M6a devices through 2.1.0, the authentication system uses predictable session tokens based on timestamps.
- CVE-2025-66565CRITICALCVSS 9.8EG 9.82025-12-09
Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UU…
- CVE-2025-67504CRITICALCVSS 9.8EG 9.12025-12-09
WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brut…
- CVE-2025-6931HIGHCVSS 7.4EG 3.72025-06-30
A vulnerability classified as problematic was found in D-Link DCS-6517 and DCS-7517 up to 2.02.0. Affected by this vulnerability is the function generate_pass_from_mac of the file /bin/httpd of the component Root Password Generation Handle…
- CVE-2025-7432LOWCVSS 1.0EG 1.02026-02-09
DPA countermeasures in Silicon Labs' Series 2 devices are not reseeded under certain conditions. This may allow an attacker to eventually extract secret keys through a DPA attack.
- CVE-2026-13199MEDIUMCVSS 4.0EG 4.02026-07-07
EEPROM firmware on Raspberry Pi 5 and Compute Module 5 devices produced non-random KASLR and RNG seed values. This resulted in consistent kernel addresses across boots and devices, potentially making it easier to exploit other vulnerabilit…
- CVE-2026-1814MEDIUMCVSS 6.8EG 6.82026-02-03
Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password …
- CVE-2026-22698HIGHCVSS 7.5EG 7.52026-01-10
RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.…
- CVE-2026-2336HIGHCVSS 8.7EG 8.72026-04-16
A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstax_auth session cookie and forge a new cookie with administrative privileg…
- CVE-2026-2541MEDIUMCVSS 6.4EG 6.42026-02-15
The Micca KE700 system relies on a 6-bit portion of an identifier for authentication within rolling codes, providing only 64 possible combinations. This low entropy allows an attacker to perform a brute-force attack against one component o…
- CVE-2026-34236HIGHCVSS 8.2EG 8.22026-04-01
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat act…
- CVE-2026-41080HIGHCVSS 7.5EG 2.92026-04-16
libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
- CVE-2026-42155CRITICALCVSS 9.3EG 9.32026-05-15
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, the XML-RPC / SOAP API s…
- CVE-2026-46473HIGHCVSS 7.5EG 7.52026-05-21
Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
- CVE-2026-46474HIGHCVSS 7.5EG 7.52026-05-15
Trog::TOTP versions before 1.006 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
- CVE-2026-4827HIGHCVSS 8.7EG 8.72026-05-12
CWE‑331: Insufficient Entropy vulnerability exists that could lead to unauthorized access when an attacker on the network can exploit weaknesses in session‑management protections.
- CVE-2026-4930HIGHCVSS 7.1EG 7.12026-06-25
SYMCRYPTO is the SiXG301's host side hardware engine accessed by PSA crypto library that accelerates symmetric cryptographic operations (AES encryption/decryption and hashing). DPA Countermeasures on SYMCRYPTO can be weakened (reduced en…
- CVE-2026-7210HIGHCVSS 7.5EG 9.82026-05-11
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating li…
- CVE-2026-8700HIGHCVSS 7.3EG 7.32026-05-15
Crypt::DSA versions before 1.20 for Perl generate seeds using rand. Seeds were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
Map vulnerabilities like CWE-331 to your infrastructure
EchelonGraph correlates every CVE — across CWE-331 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →