Vendor
A vulnerability, CVE-2026-9323, in the urwid web display backend (urwid/display/web.py) allows attackers to predict and hijack web session identifiers ('urwid_id') due to the use of a non-cryptographically secure pseudo-random number generator (Python's Mersenne Twister) and the exposure of these IDs as filenames in a world-listable `/tmp` directory, potentially leading to OS-level code execution or denial of service by injecting keystrokes or terminating sessions.