CVSS v3
8.1
HIGH
EPSS Score
—
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
The urwid web display backend (urwid/display/web.py) generates web session identifiers (urwid_id) in Screen.start() by concatenating two random.randrange(10**9) calls that use Python's Mersenne Twister PRNG, which is not cryptographically secure. Each call consumes approximately 30 bits of PRNG state, and the Mersenne Twister internal state is approximately 19,937 bits, so an attacker who observes approximately 334 session IDs (for example via the X-Urwid-ID HTTP response header) can fully recon
The urwid web display backend (urwid/display/web.py) generates web session identifiers (urwid_id) in Screen.start() by concatenating two random.randrange(10**9) calls that use Python's Mersenne Twister PRNG, which is not cryptographically secure. Each call consumes approximately 30 bits of PRNG state, and the Mersenne Twister internal state is approximately 19,937 bits, so an attacker who observes approximately 334 session IDs (for example via the X-Urwid-ID HTTP response header) can fully recon
Active exploitation of CVE-2026-9323 has not been confirmed. The EPSS score is N/A%, indicating the estimated probability of exploitation in the next 30 days.
CVE-2026-9323 has a CVSS v3 base score of 8.1 (HIGH severity), with vector string 3.1.
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.