Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
205 vulnerabilities
CVE-2026-49147 (GCVE-0-2026-49147)
Vulnerability from cvelistv5 – Published: 2026-07-08 14:55 – Updated: 2026-07-08 17:31
VLAI
EPSS
VEX
Title
App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes
Summary
App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes.
When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename.
A file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
Assigner
References
2 references
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T15:22:36.769783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:22:39.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-07-08T17:31:34.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/08/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "ack",
"product": "App::Ack",
"programFiles": [
"lib/App/Ack.pm",
"ack"
],
"programRoutines": [
{
"name": "App::Ack::show_types"
},
{
"name": "file_loop_lL"
},
{
"name": "file_loop_c"
}
],
"repo": "https://github.com/beyondgrep/ack3",
"vendor": "PETDANCE",
"versions": [
{
"lessThanOrEqual": "3.10.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Micha\u0142 Majchrowicz (AFINE)"
},
{
"lang": "en",
"type": "finder",
"value": "Marcin Wyczechowski (AFINE)"
}
],
"descriptions": [
{
"lang": "en",
"value": "App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes.\n\nWhen ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename.\n\nA file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:55:50.232Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/PETDANCE/ack-v3.10.0/source/Changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to a future ack release."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Version 3.10.0 released with partial fix for most output paths."
}
],
"title": "App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes",
"workarounds": [
{
"lang": "en",
"value": "Pipe ack output through a filter that strips terminal control characters when running ack over untrusted filenames."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-49147",
"datePublished": "2026-07-08T14:55:50.232Z",
"dateReserved": "2026-05-27T17:50:04.538Z",
"dateUpdated": "2026-07-08T17:31:34.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49146 (GCVE-0-2026-49146)
Vulnerability from cvelistv5 – Published: 2026-07-08 14:55 – Updated: 2026-07-08 17:31
VLAI
EPSS
VEX
Title
App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc
Summary
App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc.
ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The -B and -C context options accepted any positive integer, and ack sized the before-context buffer to that value, so a project .ackrc setting --before-context=100000000 made ack allocate a buffer of 100 million elements.
A project .ackrc committed to an untrusted repository can abort ack with an out-of-memory condition.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
3 references
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49146",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T15:22:07.691262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:22:10.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-07-08T17:31:33.218Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/08/8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "ack",
"product": "App::Ack",
"programFiles": [
"lib/App/Ack/ConfigLoader.pm",
"ack"
],
"programRoutines": [
{
"name": "App::Ack::ConfigLoader::_context_value"
}
],
"repo": "https://github.com/beyondgrep/ack3",
"vendor": "PETDANCE",
"versions": [
{
"lessThan": "3.10.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Micha\u0142 Majchrowicz (AFINE)"
},
{
"lang": "en",
"type": "finder",
"value": "Marcin Wyczechowski (AFINE)"
}
],
"descriptions": [
{
"lang": "en",
"value": "App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc.\n\nack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The -B and -C context options accepted any positive integer, and ack sized the before-context buffer to that value, so a project .ackrc setting --before-context=100000000 made ack allocate a buffer of 100 million elements.\n\nA project .ackrc committed to an untrusted repository can abort ack with an out-of-memory condition."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:55:37.207Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/beyondgrep/ack3/commit/45ff5fe77dbd96f7332f31943102291f878f30b8.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/PETDANCE/ack-v3.10.0/source/Changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to ack 3.10.0 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Version 3.10.0 released with fix."
}
],
"title": "App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-49146",
"datePublished": "2026-07-08T14:55:37.207Z",
"dateReserved": "2026-05-27T17:50:04.538Z",
"dateUpdated": "2026-07-08T17:31:33.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49145 (GCVE-0-2026-49145)
Vulnerability from cvelistv5 – Published: 2026-07-08 14:55 – Updated: 2026-07-08 17:31
VLAI
EPSS
VEX
Title
App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc
Summary
App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc.
ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include --files-from, so a project .ackrc can set it to a path whose listed files ack then reads and searches. Version 3.10.0 added --follow to the blocklist; --files-from remains accepted.
A project .ackrc committed to an untrusted repository can make ack read files outside the project and print their matching lines.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T15:21:08.032707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:21:13.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-07-08T17:31:32.120Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/08/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "ack",
"product": "App::Ack",
"programFiles": [
"lib/App/Ack/ConfigFinder.pm",
"lib/App/Ack/ConfigLoader.pm"
],
"programRoutines": [
{
"name": "App::Ack::ConfigFinder::find_config_files"
},
{
"name": "App::Ack::ConfigLoader::_process_other"
}
],
"repo": "https://github.com/beyondgrep/ack3",
"vendor": "PETDANCE",
"versions": [
{
"lessThanOrEqual": "3.10.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Micha\u0142 Majchrowicz (AFINE)"
},
{
"lang": "en",
"type": "finder",
"value": "Marcin Wyczechowski (AFINE)"
}
],
"descriptions": [
{
"lang": "en",
"value": "App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc.\n\nack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include --files-from, so a project .ackrc can set it to a path whose listed files ack then reads and searches. Version 3.10.0 added --follow to the blocklist; --files-from remains accepted.\n\nA project .ackrc committed to an untrusted repository can make ack read files outside the project and print their matching lines."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426 Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:55:13.819Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/PETDANCE/ack-v3.10.0/source/Changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to a future ack release."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Version 3.10.0 released with partial fix for the --follow option."
}
],
"title": "App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc",
"workarounds": [
{
"lang": "en",
"value": "Run ack with --noenv, or avoid running ack in a directory tree that contains an untrusted .ackrc."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-49145",
"datePublished": "2026-07-08T14:55:13.819Z",
"dateReserved": "2026-05-27T17:50:04.538Z",
"dateUpdated": "2026-07-08T17:31:32.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14454 (GCVE-0-2026-14454)
Vulnerability from cvelistv5 – Published: 2026-07-08 12:30 – Updated: 2026-07-09 14:41
VLAI
EPSS
VEX
Title
Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed
Summary
Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed.
Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process.
An attacker could craft an image with EXIF data that terminates a worker process.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-08T17:31:27.727Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/08/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-14454",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:50:57.514385Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:41:45.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Imager",
"product": "Imager",
"programFiles": [
"imexif.c"
],
"programRoutines": [
{
"name": "tiff_load_ifd"
}
],
"repo": "https://github.com/tonycoz/imager",
"vendor": "TONYC",
"versions": [
{
"lessThan": "1.033",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed.\n\nImager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process.\n\nAn attacker could craft an image with EXIF data that terminates a worker process."
}
],
"impacts": [
{
"capecId": "CAPEC-128",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-128 Integer Attacks"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-196",
"description": "CWE-196 Unsigned to Signed Conversion Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789 Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T12:30:20.230Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TONYC/Imager-1.033/changes"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tonycoz/imager/commit/06f01a5d0fd591259aeba589370d6888384a6b6d.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 1.033 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-14454",
"datePublished": "2026-07-08T12:30:20.230Z",
"dateReserved": "2026-07-02T08:18:50.542Z",
"dateUpdated": "2026-07-09T14:41:45.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14895 (GCVE-0-2026-14895)
Vulnerability from cvelistv5 – Published: 2026-07-07 22:12 – Updated: 2026-07-08 14:05
VLAI
EPSS
VEX
Title
String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service
Summary
String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service.
The trim and rtrim functions stripped trailing whitespace with s/\s*$//u. Because \s* matches greedily and the $ anchor fails whenever a non-whitespace character follows the whitespace, the regex engine retries the match at each offset of a long whitespace run, producing quadratic backtracking. The fix replaces \s*$ with \s+$.
Any caller that passes untrusted input to trim or rtrim can trigger CPU exhaustion with a string containing a long run of whitespace.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| BAKERSCOT | String::Util |
Affected:
0 , < 1.36
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-08T00:28:33.750Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/07/18"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-14895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T14:05:12.698100Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:05:18.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "String-Util",
"product": "String::Util",
"programFiles": [
"lib/String/Util.pm"
],
"programRoutines": [
{
"name": "String::Util::trim"
},
{
"name": "String::Util::rtrim"
}
],
"repo": "https://github.com/scottchiefbaker/String-Util",
"vendor": "BAKERSCOT",
"versions": [
{
"lessThan": "1.36",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service.\n\nThe trim and rtrim functions stripped trailing whitespace with s/\\s*$//u. Because \\s* matches greedily and the $ anchor fails whenever a non-whitespace character follows the whitespace, the regex engine retries the match at each offset of a long whitespace run, producing quadratic backtracking. The fix replaces \\s*$ with \\s+$.\n\nAny caller that passes untrusted input to trim or rtrim can trigger CPU exhaustion with a string containing a long run of whitespace."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T22:12:22.460Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/scottchiefbaker/String-Util/commit/f8150867aaeb8f57c59601aefb2193f2caed8745.patch"
},
{
"url": "https://metacpan.org/release/BAKERSCOT/String-Util-1.36/diff/BAKERSCOT/String-Util-1.35#lib/String/Util.pm"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/scottchiefbaker/String-Util/releases"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 1.36 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service",
"workarounds": [
{
"lang": "en",
"value": "For deployments that cannot upgrade, enforce a maximum length on strings before passing them to the trim and rtrim functions.\n\nNote that the HTML form field maxlength attribute is only enforced client-side."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-14895",
"datePublished": "2026-07-07T22:12:22.460Z",
"dateReserved": "2026-07-06T18:31:10.251Z",
"dateUpdated": "2026-07-08T14:05:18.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14740 (GCVE-0-2026-14740)
Vulnerability from cvelistv5 – Published: 2026-07-07 22:05 – Updated: 2026-07-08 13:59
VLAI
EPSS
VEX
Title
DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment
Summary
DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment.
The preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byte. The result is a fault on memory-hardened builds and nondeterministic newline retention on normal builds.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
4 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-08T00:28:32.673Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/07/17"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-14740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T13:58:06.622142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T13:59:33.009Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "DBI",
"product": "DBI",
"programFiles": [
"DBI.xs"
],
"programRoutines": [
{
"name": "preparse"
}
],
"repo": "https://github.com/perl5-dbi/dbi",
"vendor": "HMBRAND",
"versions": [
{
"lessThan": "1.650",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment.\n\nThe preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byte. The result is a fault on memory-hardened builds and nondeterministic newline retention on normal builds."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T22:05:45.077Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/perl5-dbi/dbi/commit/fc16f9e8b3dd5c65caf1867781ab2bfe2fadcc01.patch"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/perl5-dbi/dbi/security/advisories/GHSA-35f4-f8m9-w8xg"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/HMBRAND/DBI-1.650/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to DBI version 1.650 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment",
"workarounds": [
{
"lang": "en",
"value": "Remove initial comments from SQL statements before passing them to DBI."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-14740",
"datePublished": "2026-07-07T22:05:45.077Z",
"dateReserved": "2026-07-04T09:43:56.576Z",
"dateUpdated": "2026-07-08T13:59:33.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14739 (GCVE-0-2026-14739)
Vulnerability from cvelistv5 – Published: 2026-07-07 22:05 – Updated: 2026-07-08 13:56
VLAI
EPSS
VEX
Title
DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders
Summary
DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders.
The fix for CVE-2026-10879 did not allocate enough memory to handle approximately 1.2-million placeholders.
DBI version 1.650 sets a hard limit of 99,999 placeholders.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/perl5-dbi/dbi/commit/2b77c88b6… | patch |
| https://www.cve.org/CVERecord?id=CVE-2026-10879 | vendor-advisoryrelated |
| https://metacpan.org/release/HMBRAND/DBI-1.650/changes | release-notes |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-14739",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T13:55:38.504631Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T13:56:43.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "DBI",
"product": "DBI",
"programFiles": [
"DBI.xs"
],
"programRoutines": [
{
"name": "preparse"
}
],
"repo": "https://github.com/perl5-dbi/dbi",
"vendor": "HMBRAND",
"versions": [
{
"lessThan": "1.650",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders.\n\nThe fix for CVE-2026-10879 did not allocate enough memory to handle approximately 1.2-million placeholders.\n\nDBI version 1.650 sets a hard limit of 99,999 placeholders."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T22:05:18.457Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/perl5-dbi/dbi/commit/2b77c88b655e9539a592c71a61fb965fc0075395.patch"
},
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-10879"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/HMBRAND/DBI-1.650/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to DBI version 1.650 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-06-04T00:00:00.000Z",
"value": "Version 1.648 released with a fix for CVE-2026-10879."
},
{
"lang": "en",
"time": "2026-07-07T00:00:00.000Z",
"value": "Version 1.650 released."
}
],
"title": "DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-14739",
"datePublished": "2026-07-07T22:05:18.457Z",
"dateReserved": "2026-07-04T09:24:31.098Z",
"dateUpdated": "2026-07-08T13:56:43.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14380 (GCVE-0-2026-14380)
Vulnerability from cvelistv5 – Published: 2026-07-07 22:04 – Updated: 2026-07-09 14:41
VLAI
EPSS
VEX
Title
DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile
Summary
DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile.
When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name.
Any caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands.
The Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=>SPEC):db.
An attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection)
Assigner
References
4 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-08T00:28:31.619Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/07/16"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-14380",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:51:52.778631Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:41:58.100Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "DBI",
"product": "DBI",
"programFiles": [
"lib/DBI/Profile.pm"
],
"programRoutines": [
{
"name": "DBI::Profile::_auto_new"
}
],
"repo": "https://github.com/perl5-dbi/dbi",
"vendor": "HMBRAND",
"versions": [
{
"lessThan": "1.650",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile.\n\nWhen a string is assigned to a DBI handle\u0027s Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name.\n\nAny caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands.\n\nThe Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=\u003eSPEC):db.\n\nAn attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T22:04:49.078Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/perl5-dbi/dbi/commit/b73d5d9901767fc1d16b6661ef08fbed4532e259.patch"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/perl5-dbi/dbi/security/advisories/GHSA-ch8w-hxc2-v557"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/HMBRAND/DBI-1.650/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to DBI version 1.650 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-14380",
"datePublished": "2026-07-07T22:04:49.078Z",
"dateReserved": "2026-07-01T21:17:54.504Z",
"dateUpdated": "2026-07-09T14:41:58.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7017 (GCVE-0-2026-7017)
Vulnerability from cvelistv5 – Published: 2026-07-07 17:41 – Updated: 2026-07-07 20:35
VLAI
EPSS
VEX
Title
HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets
Summary
HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets.
When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire.
The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HAARG | HTTP::Tiny |
Affected:
0 , < 0.095
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7017",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T18:31:23.699590Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T18:31:42.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-07-07T20:35:36.874Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/07/13"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "HTTP-Tiny",
"product": "HTTP::Tiny",
"programFiles": [
"lib/HTTP/Tiny.pm"
],
"programRoutines": [
{
"name": "_maybe_redirect"
},
{
"name": "_prepare_headers_and_cb"
}
],
"repo": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny",
"vendor": "HAARG",
"versions": [
{
"lessThan": "0.095",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets.\n\nWhen the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller\u0027s `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire.\n\nThe HTTP::Tiny POD note that \"Authorization headers will not be included in a redirected request\" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T17:41:48.989Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36"
},
{
"tags": [
"patch"
],
"url": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/84984ef3930ddd4afcf5eb83b40d3cee200739c3.patch"
},
{
"tags": [
"patch"
],
"url": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/e7a03aedf2395158f2b0d3bad2df943349227bb3.patch"
},
{
"tags": [
"patch"
],
"url": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/8f32ca89e21c3ad0422adc698fa6ad17a193f55f.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/HAARG/HTTP-Tiny-0.095-TRIAL/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to HTTP-Tiny 0.095-TRIAL or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-04-25T00:00:00.000Z",
"value": "Issue discovered."
},
{
"lang": "en",
"time": "2026-06-03T00:00:00.000Z",
"value": "Version 0.095-TRIAL released with fix."
}
],
"title": "HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-7017",
"datePublished": "2026-07-07T17:41:48.989Z",
"dateReserved": "2026-04-25T10:30:05.190Z",
"dateUpdated": "2026-07-07T20:35:36.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2011-10043 (GCVE-0-2011-10043)
Vulnerability from cvelistv5 – Published: 2026-07-07 11:46 – Updated: 2026-07-07 16:04
VLAI
EPSS
VEX
Title
Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded
Summary
Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded.
Module names starting with "::" could be passed to the load function to specify arbitrary module paths.
Attackers able to influence module names passed to load could use that bug to execute arbitrary code.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-145 - Improper Neutralization of Section Delimiters
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://blogs.perl.org/users/michael_g_schwern/20… | technical-description |
| https://metacpan.org/release/BINGOS/Module-Load-0… | |
| https://metacpan.org/release/BINGOS/Module-Load-0… | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| BINGOS | Module::Load |
Affected:
0 , < 0.22
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2011-10043",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T16:04:25.108284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T16:04:29.197Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Module-Load",
"product": "Module::Load",
"programFiles": [
"lib/Module/Load.pm"
],
"programRoutines": [
{
"name": "Module::Load::_to_file"
}
],
"repo": "https://github.com/jib/module-load",
"vendor": "BINGOS",
"versions": [
{
"lessThan": "0.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded.\n\nModule names starting with \"::\" could be passed to the load function to specify arbitrary module paths.\n\nAttackers able to influence module names passed to load could use that bug to execute arbitrary code."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-145",
"description": "CWE-145 Improper Neutralization of Section Delimiters",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T11:46:13.575Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://blogs.perl.org/users/michael_g_schwern/2011/10/how-not-to-load-a-module-or-bad-interfaces-make-good-people-do-bad-things.html"
},
{
"url": "https://metacpan.org/release/BINGOS/Module-Load-0.22/diff/BINGOS/Module-Load-0.20/lib/Module/Load.pm"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/BINGOS/Module-Load-0.22/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "If you are using Perl v5.15.3 or earlier, then upgrade to Module::Load 0.22 or later.\n\nPerl versions after v5.15.4 include newer versions of Module::Load that fix this issue."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2011-10-02T00:00:00.000Z",
"value": "General issue identified by Michael G Schwern in blog post."
},
{
"lang": "en",
"time": "2011-10-04T00:00:00.000Z",
"value": "Module::Load 0.22 released."
},
{
"lang": "en",
"time": "2011-10-20T00:00:00.000Z",
"value": "Perl v5.15.4 released with Module::Load 0.22."
}
],
"title": "Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2011-10043",
"datePublished": "2026-07-07T11:46:13.575Z",
"dateReserved": "2026-07-05T11:47:35.949Z",
"dateUpdated": "2026-07-07T16:04:29.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13708 (GCVE-0-2026-13708)
Vulnerability from cvelistv5 – Published: 2026-07-06 12:04 – Updated: 2026-07-06 18:53
VLAI
EPSS
VEX
Title
Imager::File::JPEG versions before 1.003 for Perl leak heap memory when reading a JPEG with repeated APP13 markers in i_readjpeg_wiol
Summary
Imager::File::JPEG versions before 1.003 for Perl leak heap memory when reading a JPEG with repeated APP13 markers in i_readjpeg_wiol.
i_readjpeg_wiol walks the marker list libjpeg returns and, for each APP13 marker, allocates a new buffer with *iptc_itext = mymalloc(...) and overwrites the previous pointer without freeing it. Only the final payload is later turned into a Perl scalar and freed, so a JPEG with N such markers leaks the first N-1 payloads on every read.
In a long-lived process, such as an upload or thumbnailing service, repeated reads accumulate these leaks and exhaust available memory, a denial of service.
The same handler ships bundled in the Imager distribution, where versions before 1.032 are affected and the fix ships in 1.032.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TONYC | Imager::File::JPEG |
Affected:
0 , < 1.003
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-06T18:38:13.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/06/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-13708",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T18:53:48.057324Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T18:53:51.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Imager-File-JPEG",
"product": "Imager::File::JPEG",
"programFiles": [
"imjpeg.c"
],
"programRoutines": [
{
"name": "i_readjpeg_wiol"
}
],
"repo": "https://github.com/tonycoz/imager",
"vendor": "TONYC",
"versions": [
{
"lessThan": "1.003",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Imager::File::JPEG versions before 1.003 for Perl leak heap memory when reading a JPEG with repeated APP13 markers in i_readjpeg_wiol.\n\ni_readjpeg_wiol walks the marker list libjpeg returns and, for each APP13 marker, allocates a new buffer with *iptc_itext = mymalloc(...) and overwrites the previous pointer without freeing it. Only the final payload is later turned into a Perl scalar and freed, so a JPEG with N such markers leaks the first N-1 payloads on every read.\n\nIn a long-lived process, such as an upload or thumbnailing service, repeated reads accumulate these leaks and exhaust available memory, a denial of service.\n\nThe same handler ships bundled in the Imager distribution, where versions before 1.032 are affected and the fix ships in 1.032."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T12:04:10.659Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/tonycoz/imager/commit/9f1c485ca3ee15dc261549e11afb356866552c3a.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TONYC/Imager-File-JPEG-1.003/source/Changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Imager::File::JPEG 1.003 or later, or to Imager 1.032 or later if the bundled copy is in use."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-07-01T00:00:00.000Z",
"value": "Version 1.003 released with fix."
}
],
"title": "Imager::File::JPEG versions before 1.003 for Perl leak heap memory when reading a JPEG with repeated APP13 markers in i_readjpeg_wiol",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-13708",
"datePublished": "2026-07-06T12:04:10.659Z",
"dateReserved": "2026-06-29T13:22:53.937Z",
"dateUpdated": "2026-07-06T18:53:51.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13705 (GCVE-0-2026-13705)
Vulnerability from cvelistv5 – Published: 2026-07-06 12:03 – Updated: 2026-07-06 19:24
VLAI
EPSS
VEX
Title
Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle
Summary
Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle.
read_rgb_16_rle guards each literal run with if (count > data_left), but count is a pixel count while every 16-bit sample consumes two bytes. The copy loop reads inp[0] * 256 + inp[1] and advances two bytes per pixel, so a run with data_left / 2 < count <= data_left passes the guard yet consumes 2 * count bytes and reads past the end of the buffer. The 8-bit path is unaffected because there one pixel is one byte.
Reading a crafted SGI image through Imager->read triggers the over-read before the parser rejects the malformed image, which can crash the process.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
3 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-06T18:38:12.676Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/06/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-13705",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T19:24:34.960922Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:24:38.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Imager",
"product": "Imager",
"programFiles": [
"SGI/imsgi.c"
],
"programRoutines": [
{
"name": "read_rgb_16_rle"
}
],
"repo": "https://github.com/tonycoz/imager",
"vendor": "TONYC",
"versions": [
{
"lessThan": "1.032",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle.\n\nread_rgb_16_rle guards each literal run with if (count \u003e data_left), but count is a pixel count while every 16-bit sample consumes two bytes. The copy loop reads inp[0] * 256 + inp[1] and advances two bytes per pixel, so a run with data_left / 2 \u003c count \u003c= data_left passes the guard yet consumes 2 * count bytes and reads past the end of the buffer. The 8-bit path is unaffected because there one pixel is one byte.\n\nReading a crafted SGI image through Imager-\u003eread triggers the over-read before the parser rejects the malformed image, which can crash the process."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T12:03:38.513Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/tonycoz/imager/commit/f28de02770dfc26ffbdc32048970ed84babbf730.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TONYC/Imager-1.032/source/Changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Imager 1.032 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-07-01T00:00:00.000Z",
"value": "Version 1.032 released with fix."
}
],
"title": "Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-13705",
"datePublished": "2026-07-06T12:03:38.513Z",
"dateReserved": "2026-06-29T13:21:04.275Z",
"dateUpdated": "2026-07-06T19:24:38.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14803 (GCVE-0-2026-14803)
Vulnerability from cvelistv5 – Published: 2026-07-06 01:34 – Updated: 2026-07-06 18:51
VLAI
EPSS
VEX
Title
Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder
Summary
Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder.
The pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory.
This path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected.
Any caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c->req->json`, can exhaust process memory and cause denial of service.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SRI | Mojo::JSON |
Affected:
0 , < 9.47
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-06T05:27:01.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/06/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-14803",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T18:50:20.863135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T18:51:14.358Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Mojolicious",
"product": "Mojo::JSON",
"programFiles": [
"lib/Mojo/JSON.pm"
],
"programRoutines": [
{
"name": "Mojo::JSON::_decode_array"
},
{
"name": "Mojo::JSON::_decode_object"
}
],
"repo": "https://github.com/mojolicious/mojo",
"vendor": "SRI",
"versions": [
{
"lessThan": "9.47",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder.\n\nThe pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory.\n\nThis path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected.\n\nAny caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c-\u003ereq-\u003ejson`, can exhaust process memory and cause denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T01:34:43.872Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/mojolicious/mojo/commit/cc38b0554275c4d84f6b8b49bcbbc1bec2068fe1.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/SRI/Mojolicious-9.47/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Mojolicious 9.47 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-07-05T00:00:00.000Z",
"value": "Version 9.47 released with fix."
}
],
"title": "Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder",
"workarounds": [
{
"lang": "en",
"value": "Where upgrading is not possible, install Cpanel::JSON::XS in the include path and leave `MOJO_NO_JSON_XS` unset."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-14803",
"datePublished": "2026-07-06T01:34:43.872Z",
"dateReserved": "2026-07-05T21:23:29.979Z",
"dateUpdated": "2026-07-06T18:51:14.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14570 (GCVE-0-2026-14570)
Vulnerability from cvelistv5 – Published: 2026-07-05 01:30 – Updated: 2026-07-06 13:42
VLAI
EPSS
VEX
Title
Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery
Summary
Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery.
"Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values."
An attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack.
Keys used to sign with an affected version should be considered compromised and new keys should be generated.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-330 - Use of Insufficiently Random Values
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TIMLEGGE | Crypt::DSA |
Affected:
0 , < 1.22
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-05T05:19:58.316Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/05/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-14570",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T13:41:52.097549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T13:42:11.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Crypt-DSA",
"product": "Crypt::DSA",
"programFiles": [
"lib/Crypt/DSA/Util.pm",
"lib/Crypt/DSA.pm",
"lib/Crypt/DSA/KeyChain.pm"
],
"programRoutines": [
{
"name": "Crypt::DSA::Util::makerandom"
},
{
"name": "Crypt::DSA::sign"
},
{
"name": "Crypt::DSA::KeyChain::generate_keys"
}
],
"repo": "https://github.com/perl-Crypt-OpenPGP/Crypt-DSA",
"vendor": "TIMLEGGE",
"versions": [
{
"lessThan": "1.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery.\n\n\"Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values.\"\n\nAn attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack.\n\nKeys used to sign with an affected version should be considered compromised and new keys should be generated."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330 Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T01:30:12.849Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.21/source/lib/Crypt/DSA/Util.pm#L56"
},
{
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.22/diff/TIMLEGGE/Crypt-DSA-1.21#lib/Crypt/DSA/Util.pm"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.22/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 1.22 or later, which draws the nonce and private key uniformly via rejection sampling (Crypt::DSA::Util::randombelow) with no forced high bit.\n\nRevoke and regenerate any keys used to sign with an affected version.\n\nCrypt::DSA was deprecated in version 1.20. You should migrate to another solution."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-14570",
"datePublished": "2026-07-05T01:30:12.849Z",
"dateReserved": "2026-07-03T10:37:19.787Z",
"dateUpdated": "2026-07-06T13:42:11.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12740 (GCVE-0-2026-12740)
Vulnerability from cvelistv5 – Published: 2026-07-04 17:58 – Updated: 2026-07-06 13:54
VLAI
EPSS
VEX
Title
Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter
Summary
Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter.
RequestTokenV2 builds the provider authorization redirect without issuing a state value, and AccessTokenV2 exchanges the callback code and registers the resulting token into the session (register_session) without verifying that the callback corresponds to an authorization request this session initiated.
Any application that uses this middleware for OAuth 2.0 login is exposed to login cross-site request forgery: because the callback is not bound to the session that began the flow, an attacker who starts an authorization with their own provider account can deliver the resulting callback to a victim, causing the victim's session to complete the attacker's authorization and associating the attacker's provider identity and access token with that session. Where the application persists this as an account link, the attacker may retain access to the victim's account through their own provider credentials.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://rt.cpan.org/Ticket/Display.html?id=179874 | issue-tracking |
| https://github.com/c9s/Plack-Middleware-OAuth/pull/13 | issue-tracking |
| https://security.metacpan.org/patches/P/Plack-Mid… | patch |
| https://datatracker.ietf.org/doc/html/rfc6749#sec… | technical-description |
| http://www.openwall.com/lists/oss-security/2026/0… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CORNELIUS | Plack::Middleware::OAuth |
Affected:
0 , ≤ 0.10
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-04T19:29:05.133Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/04/10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-12740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T13:54:10.583390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T13:54:14.245Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Plack-Middleware-OAuth",
"product": "Plack::Middleware::OAuth",
"programFiles": [
"lib/Plack/Middleware/OAuth/Handler/AccessTokenV2.pm",
"lib/Plack/Middleware/OAuth/Handler/RequestTokenV2.pm"
],
"repo": "https://github.com/c9s/Plack-Middleware-OAuth",
"vendor": "CORNELIUS",
"versions": [
{
"lessThanOrEqual": "0.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter.\n\nRequestTokenV2 builds the provider authorization redirect without issuing a state value, and AccessTokenV2 exchanges the callback code and registers the resulting token into the session (register_session) without verifying that the callback corresponds to an authorization request this session initiated.\n\nAny application that uses this middleware for OAuth 2.0 login is exposed to login cross-site request forgery: because the callback is not bound to the session that began the flow, an attacker who starts an authorization with their own provider account can deliver the resulting callback to a victim, causing the victim\u0027s session to complete the attacker\u0027s authorization and associating the attacker\u0027s provider identity and access token with that session. Where the application persists this as an account link, the attacker may retain access to the victim\u0027s account through their own provider credentials."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-04T17:58:31.298Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://rt.cpan.org/Ticket/Display.html?id=179874"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/c9s/Plack-Middleware-OAuth/pull/13"
},
{
"tags": [
"patch"
],
"url": "https://security.metacpan.org/patches/P/Plack-Middleware-OAuth/0.10/CVE-2026-12740-r1.patch"
},
{
"tags": [
"technical-description"
],
"url": "https://datatracker.ietf.org/doc/html/rfc6749#section-10.12"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter",
"workarounds": [
{
"lang": "en",
"value": "Use the latest version from the git repository, with the patch applied."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-12740",
"datePublished": "2026-07-04T17:58:31.298Z",
"dateReserved": "2026-06-19T16:43:08.971Z",
"dateUpdated": "2026-07-06T13:54:14.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12746 (GCVE-0-2026-12746)
Vulnerability from cvelistv5 – Published: 2026-07-04 17:52 – Updated: 2026-07-06 14:56
VLAI
EPSS
VEX
Title
Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter
Summary
Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter.
The authentication_url method builds the provider authorization redirect without issuing a state value, and the callback method exchanges the callback code and registers the resulting token into the session without verifying that the callback corresponds to an authorization request this session initiated.
Any application that uses this plugin for OAuth 2.0 login is exposed to login cross-site request forgery: because the callback is not bound to the session that began the flow, an attacker who starts an authorization with their own provider account can deliver the resulting callback to a victim, causing the victim's session to complete the attacker's authorization and associating the attacker's provider identity and access token with that session. Where the application persists this as an account link, the attacker may retain access to the victim's account through their own provider credentials.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
4 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| BIAFRA | Dancer2::Plugin::Auth::OAuth::Provider |
Affected:
0 , < 0.23
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-04T19:29:06.345Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/04/9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-12746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T14:55:59.796200Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T14:56:03.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Dancer2-Plugin-Auth-OAuth",
"product": "Dancer2::Plugin::Auth::OAuth::Provider",
"programFiles": [
"lib/Dancer2/Plugin/Auth/OAuth/Provider.pm"
],
"programRoutines": [
{
"name": "Dancer2::Plugin::Auth::OAuth::Provider::authentication_url"
},
{
"name": "Dancer2::Plugin::Auth::OAuth::Provider::callback"
}
],
"repo": "https://github.com/biafra/perl-Dancer2-Plugin-Auth-OAuth",
"vendor": "BIAFRA",
"versions": [
{
"lessThan": "0.23",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter.\n\nThe authentication_url method builds the provider authorization redirect without issuing a state value, and the callback method exchanges the callback code and registers the resulting token into the session without verifying that the callback corresponds to an authorization request this session initiated.\n\nAny application that uses this plugin for OAuth 2.0 login is exposed to login cross-site request forgery: because the callback is not bound to the session that began the flow, an attacker who starts an authorization with their own provider account can deliver the resulting callback to a victim, causing the victim\u0027s session to complete the attacker\u0027s authorization and associating the attacker\u0027s provider identity and access token with that session. Where the application persists this as an account link, the attacker may retain access to the victim\u0027s account through their own provider credentials."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-04T17:52:41.494Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/BIAFRA/Dancer2-Plugin-Auth-OAuth-0.23/diff/BIAFRA/Dancer2-Plugin-Auth-OAuth-0.22"
},
{
"tags": [
"patch"
],
"url": "https://github.com/biafra/perl-Dancer2-Plugin-Auth-OAuth/commit/806420fc2abbe13bede4461475f2f3dcd7daf5f2.patch"
},
{
"tags": [
"technical-description"
],
"url": "https://datatracker.ietf.org/doc/html/rfc6749#section-10.12"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 0.23 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-06-22T00:00:00.000Z",
"value": "Version 0.23 released with a fix."
}
],
"title": "Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-12746",
"datePublished": "2026-07-04T17:52:41.494Z",
"dateReserved": "2026-06-19T17:42:35.807Z",
"dateUpdated": "2026-07-06T14:56:03.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56015 (GCVE-0-2026-56015)
Vulnerability from cvelistv5 – Published: 2026-07-03 12:56 – Updated: 2026-07-06 18:36
VLAI
EPSS
VEX
Title
Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length
Summary
Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length.
add() passes the prefix string to the trie builder addPrefixToTrie() without checking it against the address width.
addPrefixToTrie() then walks the prefix buffer by prefix_length bits, reading prefix[byte] for byte up to prefix_len/8, where prefix is the 4-byte (IPv4) or 16-byte (IPv6) packed address. A prefix length greater than 32 for IPv4 or 128 for IPv6, for example add("1.2.3.4/255", $v) or add("2001:db8::/255", $v), reads past the end of the packed address.
The out-of-bounds read happens during trie construction and is bounded: the prefix length is stored as an unsigned char, so the bit walk reads at most 32 bytes from the start of the packed address, a short distance past the end of the 4-byte or 16-byte buffer. It is detectable under AddressSanitizer, valgrind, or a hardened allocator, where it can abort the process. Lookups and dump() format only the valid address width, so the out-of-bounds bytes are not exposed through the module's API.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://rt.cpan.org/Ticket/Display.html?id=179856 | issue-trackingvendor-advisory |
| https://security.metacpan.org/patches/N/Net-IP-LP… | patch |
| http://www.openwall.com/lists/oss-security/2026/07/03/4 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TPODER | Net::IP::LPM |
Affected:
0 , ≤ 1.10
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-03T16:31:29.386Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/03/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-56015",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T18:35:54.436194Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T18:36:22.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-IP-LPM",
"product": "Net::IP::LPM",
"programFiles": [
"lib/Net/IP/LPM.pm",
"lpm_lib.c"
],
"programRoutines": [
{
"name": "Net::IP::LPM::add"
},
{
"name": "addPrefixToTrie"
},
{
"name": "lpm_add_raw"
}
],
"vendor": "TPODER",
"versions": [
{
"lessThanOrEqual": "1.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length.\n\nadd() passes the prefix string to the trie builder addPrefixToTrie() without checking it against the address width.\n\naddPrefixToTrie() then walks the prefix buffer by prefix_length bits, reading prefix[byte] for byte up to prefix_len/8, where prefix is the 4-byte (IPv4) or 16-byte (IPv6) packed address. A prefix length greater than 32 for IPv4 or 128 for IPv6, for example add(\"1.2.3.4/255\", $v) or add(\"2001:db8::/255\", $v), reads past the end of the packed address.\n\nThe out-of-bounds read happens during trie construction and is bounded: the prefix length is stored as an unsigned char, so the bit walk reads at most 32 bytes from the start of the packed address, a short distance past the end of the 4-byte or 16-byte buffer. It is detectable under AddressSanitizer, valgrind, or a hardened allocator, where it can abort the process. Lookups and dump() format only the valid address width, so the out-of-bounds bytes are not exposed through the module\u0027s API."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T12:56:04.288Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking",
"vendor-advisory"
],
"url": "https://rt.cpan.org/Ticket/Display.html?id=179856"
},
{
"tags": [
"patch"
],
"url": "https://security.metacpan.org/patches/N/Net-IP-LPM/1.10/CVE-2026-56015-r2.patch"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length",
"workarounds": [
{
"lang": "en",
"value": "Apply the patch.\n\nOtherwise, reject prefix lengths greater than 32 (IPv4) or 128 (IPv6) before passing them to add()."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-56015",
"datePublished": "2026-07-03T12:56:04.288Z",
"dateReserved": "2026-06-18T11:27:09.117Z",
"dateUpdated": "2026-07-06T18:36:22.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15646 (GCVE-0-2025-15646)
Vulnerability from cvelistv5 – Published: 2026-07-01 14:38 – Updated: 2026-07-01 18:09
VLAI
EPSS
VEX
Title
HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion
Summary
HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion.
Support for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses.
Any caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/bestpractical/HTML-Gumbo/commi… | patch |
| https://metacpan.org/release/BPS/HTML-Gumbo-0.19/… | release-notes |
| https://bugs.debian.org/1104789 | issue-tracking |
| http://www.openwall.com/lists/oss-security/2026/07/01/7 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| BPS | HTML::Gumbo |
Affected:
0 , < 0.19
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-01T17:36:44.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/01/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-15646",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T18:08:40.682429Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T18:09:08.371Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "HTML-Gumbo",
"product": "HTML::Gumbo",
"programFiles": [
"lib/HTML/Gumbo.xs"
],
"programRoutines": [
{
"name": "walk_tree"
}
],
"repo": "https://github.com/bestpractical/HTML-Gumbo",
"vendor": "BPS",
"versions": [
{
"lessThan": "0.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vincent Lefevre"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Niko Tyni"
}
],
"descriptions": [
{
"lang": "en",
"value": "HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion.\n\nSupport for the \u003ctemplate\u003e element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses.\n\nAny caller that runs parse() with the default format =\u003e \u0027string\u0027, or with format =\u003e \u0027tree\u0027, on input containing a \u003ctemplate\u003e element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format =\u003e \u0027callback\u0027 reaches a croak on the unhandled node type and is unaffected."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843 Access of Resource Using Incompatible Type (Type Confusion)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:38:03.727Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/bestpractical/HTML-Gumbo/commit/15c0598909d4a64f47ef0a1abc5051f4e113c186.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/BPS/HTML-Gumbo-0.19/changes"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugs.debian.org/1104789"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to HTML-Gumbo 0.19 or later, which adds GUMBO_NODE_TEMPLATE to the container node types handled by walk_tree."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2015-04-30T00:00:00.000Z",
"value": "Gumbo 0.10.0 released with support for the \u003ctemplate\u003e element."
},
{
"lang": "en",
"time": "2025-05-06T00:00:00.000Z",
"value": "Reported to the Debian bug tracker (#1104789)."
},
{
"lang": "en",
"time": "2025-05-17T00:00:00.000Z",
"value": "Fix committed upstream."
},
{
"lang": "en",
"time": "2026-05-21T00:00:00.000Z",
"value": "Version 0.19 released with fix."
}
],
"title": "HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-15646",
"datePublished": "2026-07-01T14:38:03.727Z",
"dateReserved": "2026-05-22T10:47:01.107Z",
"dateUpdated": "2026-07-01T18:09:08.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56016 (GCVE-0-2026-56016)
Vulnerability from cvelistv5 – Published: 2026-07-01 06:46 – Updated: 2026-07-01 17:36
VLAI
EPSS
VEX
Title
CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources
Summary
CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources.
The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible.
An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MARKSTOS | CGI::Session::ID::md5 |
Affected:
0 , < 4.49
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-56016",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T14:03:10.013809Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:03:16.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-07-01T17:36:49.480Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/01/6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "CGI-Session",
"product": "CGI::Session::ID::md5",
"programFiles": [
"lib/CGI/Session/ID/md5.pm"
],
"programRoutines": [
{
"name": "CGI::Session::ID::md5::generate_id"
}
],
"repo": "http://github.com/cromedome/cgi-session",
"vendor": "MARKSTOS",
"versions": [
{
"lessThan": "4.49",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources.\n\nThe generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl\u0027s rand() is unsuitable for security purposes because it is predictable and reversible.\n\nAn attacker who predicts a session id can impersonate the corresponding session and bypass authentication."
}
],
"impacts": [
{
"capecId": "CAPEC-59",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-59 Session Credential Falsification through Prediction"
}
]
},
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-340",
"description": "CWE-340 Generation of Predictable Numbers or Identifiers",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T06:46:23.589Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/MARKSTOS/CGI-Session-4.49/changes"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/MARKSTOS/CGI-Session-4.49/source/lib/CGI/Session/ID/md5.pm"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to CGI::Session 4.49 or later, which generates session ids from Crypt::SysRandom."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-06-30T00:00:00.000Z",
"value": "Version 4.49 released with fix."
}
],
"title": "CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-56016",
"datePublished": "2026-07-01T06:46:23.589Z",
"dateReserved": "2026-06-18T11:27:09.117Z",
"dateUpdated": "2026-07-01T17:36:49.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13766 (GCVE-0-2026-13766)
Vulnerability from cvelistv5 – Published: 2026-06-30 11:20 – Updated: 2026-06-30 17:35
VLAI
EPSS
VEX
Title
DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers
Summary
DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers.
The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected.
A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| EXODIST | DBIx::QuickORM |
Affected:
0 , < 0.000026
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-13766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T14:12:52.476439Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T14:13:48.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-30T17:35:42.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/30/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "DBIx-QuickORM",
"product": "DBIx::QuickORM",
"programFiles": [
"lib/DBIx/QuickORM/SQLBuilder/SQLAbstract.pm",
"lib/DBIx/QuickORM/Connection.pm"
],
"programRoutines": [
{
"name": "DBIx::QuickORM::SQLBuilder::SQLAbstract::new"
},
{
"name": "DBIx::QuickORM::Connection::init"
}
],
"repo": "https://github.com/exodist/DBIx-QuickORM/",
"vendor": "EXODIST",
"versions": [
{
"lessThan": "0.000026",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers.\n\nThe default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected.\n\nA caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T11:20:35.463Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/exodist/DBIx-QuickORM/commit/43d7684682050780f056f25e1879191fb0a3265e.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/EXODIST/DBIx-QuickORM-0.000026/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to DBIx::QuickORM 0.000026 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-13766",
"datePublished": "2026-06-30T11:20:35.463Z",
"dateReserved": "2026-06-29T19:58:43.298Z",
"dateUpdated": "2026-06-30T17:35:42.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57082 (GCVE-0-2026-57082)
Vulnerability from cvelistv5 – Published: 2026-06-30 11:05 – Updated: 2026-06-30 14:20
VLAI
EPSS
VEX
Title
Net::BitTorrent versions through 2.0.1 for Perl generate the MSE Diffie-Hellman private key with a non-cryptographic PRNG
Summary
Net::BitTorrent versions through 2.0.1 for Perl generate the MSE Diffie-Hellman private key with a non-cryptographic PRNG.
The MSE (Message Stream Encryption) handshake derives its 160-bit Diffie-Hellman private key from Perl's rand(), a non-cryptographic drand48-class generator seeded once per process, in KeyExchange.pm. The shared secret and the RC4 keys derived from it (the SHA-1 of "keyA" or "keyB", the shared secret, and the infohash) therefore depend entirely on a predictable PRNG. The same handshake sends, in cleartext, random padding drawn from the same rand() sequence in _random_pad, immediately after the public key and the private-key draw.
A passive observer of the handshake recovers the PRNG state from the cleartext padding, reconstructs the private key, computes the shared secret from the peer's public key on the wire, derives the RC4 keys, and decrypts the connection, defeating the passive-observation obfuscation MSE provides.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/sanko/Net-BitTorrent.pm/securi… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SANKO | Net::BitTorrent |
Affected:
0 , ≤ 2.0.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-57082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T14:19:46.278267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T14:20:32.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-BitTorrent",
"product": "Net::BitTorrent",
"programFiles": [
"lib/Net/BitTorrent/Protocol/MSE/KeyExchange.pm",
"lib/Net/BitTorrent/Protocol/MSE.pm",
"lib/Net/BitTorrent/Peer.pm"
],
"programRoutines": [
{
"name": "Net::BitTorrent::Protocol::MSE::_random_pad"
}
],
"repo": "https://github.com/sanko/Net-BitTorrent.pm",
"vendor": "SANKO",
"versions": [
{
"lessThanOrEqual": "2.0.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::BitTorrent versions through 2.0.1 for Perl generate the MSE Diffie-Hellman private key with a non-cryptographic PRNG.\n\nThe MSE (Message Stream Encryption) handshake derives its 160-bit Diffie-Hellman private key from Perl\u0027s rand(), a non-cryptographic drand48-class generator seeded once per process, in KeyExchange.pm. The shared secret and the RC4 keys derived from it (the SHA-1 of \"keyA\" or \"keyB\", the shared secret, and the infohash) therefore depend entirely on a predictable PRNG. The same handshake sends, in cleartext, random padding drawn from the same rand() sequence in _random_pad, immediately after the public key and the private-key draw.\n\nA passive observer of the handshake recovers the PRNG state from the cleartext padding, reconstructs the private key, computes the shared secret from the peer\u0027s public key on the wire, derives the RC4 keys, and decrypts the connection, defeating the passive-observation obfuscation MSE provides."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330 Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T11:05:33.709Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/sanko/Net-BitTorrent.pm/security/advisories/GHSA-g444-x2c5-94hc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Net::BitTorrent versions through 2.0.1 for Perl generate the MSE Diffie-Hellman private key with a non-cryptographic PRNG",
"workarounds": [
{
"lang": "en",
"value": "There is no fixed release. Draw the Diffie-Hellman private key and the handshake padding from a cryptographic source such as Crypt::URandom rather than rand()."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-57082",
"datePublished": "2026-06-30T11:05:33.709Z",
"dateReserved": "2026-06-23T18:20:33.514Z",
"dateUpdated": "2026-06-30T14:20:32.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57081 (GCVE-0-2026-57081)
Vulnerability from cvelistv5 – Published: 2026-06-30 11:05 – Updated: 2026-06-30 15:04
VLAI
EPSS
VEX
Title
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input
Summary
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input.
bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses.
A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/sanko/Net-BitTorrent.pm/securi… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SANKO | Net::BitTorrent |
Affected:
0 , ≤ 2.0.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-57081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T15:04:09.539220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:04:17.344Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-BitTorrent",
"product": "Net::BitTorrent",
"programFiles": [
"lib/Net/BitTorrent/Protocol/BEP03/Bencode.pm"
],
"programRoutines": [
{
"name": "Net::BitTorrent::Protocol::BEP03::Bencode::bdecode"
}
],
"repo": "https://github.com/sanko/Net-BitTorrent.pm",
"vendor": "SANKO",
"versions": [
{
"lessThanOrEqual": "2.0.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input.\n\nbdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses.\n\nA bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T11:05:14.658Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/sanko/Net-BitTorrent.pm/security/advisories/GHSA-mv44-v82p-89xv"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input",
"workarounds": [
{
"lang": "en",
"value": "There is no fixed release. Cap the bencode nesting depth (libtorrent rejects beyond about 100 levels) and decode without copying the buffer remainder at each level."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-57081",
"datePublished": "2026-06-30T11:05:14.658Z",
"dateReserved": "2026-06-23T18:20:33.514Z",
"dateUpdated": "2026-06-30T15:04:17.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57080 (GCVE-0-2026-57080)
Vulnerability from cvelistv5 – Published: 2026-06-30 11:04 – Updated: 2026-06-30 13:48
VLAI
EPSS
VEX
Title
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix
Summary
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix.
The peer-wire framing in _process_messages trusts the 4-byte length prefix sent by a connected peer with no upper bound, while receive_data appends every inbound byte to the input buffer. A peer announces a length prefix of up to about 4 GiB and then streams bytes; the decoder waits until the buffer holds the full message before processing it, so the buffer grows without limit.
Peer connections are unauthenticated, so any peer in the swarm exhausts the downloading process's memory. The largest legitimate message is a 16 KiB piece block, so any announced length far above that is anomalous.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/sanko/Net-BitTorrent.pm/securi… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SANKO | Net::BitTorrent |
Affected:
0 , ≤ 2.0.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-57080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T13:48:40.607424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T13:48:44.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-BitTorrent",
"product": "Net::BitTorrent",
"programFiles": [
"lib/Net/BitTorrent/Protocol/BEP03.pm"
],
"programRoutines": [
{
"name": "Net::BitTorrent::Protocol::BEP03::_process_messages"
},
{
"name": "Net::BitTorrent::Protocol::BEP03::receive_data"
}
],
"repo": "https://github.com/sanko/Net-BitTorrent.pm",
"vendor": "SANKO",
"versions": [
{
"lessThanOrEqual": "2.0.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix.\n\nThe peer-wire framing in _process_messages trusts the 4-byte length prefix sent by a connected peer with no upper bound, while receive_data appends every inbound byte to the input buffer. A peer announces a length prefix of up to about 4 GiB and then streams bytes; the decoder waits until the buffer holds the full message before processing it, so the buffer grows without limit.\n\nPeer connections are unauthenticated, so any peer in the swarm exhausts the downloading process\u0027s memory. The largest legitimate message is a 16 KiB piece block, so any announced length far above that is anomalous."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T11:04:56.820Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/sanko/Net-BitTorrent.pm/security/advisories/GHSA-7jr6-2jf4-6qc4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix",
"workarounds": [
{
"lang": "en",
"value": "There is no fixed release. Reject a peer-wire message length above a sane maximum (well above the 16 KiB largest legitimate message) and disconnect the peer instead of buffering unboundedly."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-57080",
"datePublished": "2026-06-30T11:04:56.820Z",
"dateReserved": "2026-06-23T18:20:33.514Z",
"dateUpdated": "2026-06-30T13:48:44.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57079 (GCVE-0-2026-57079)
Vulnerability from cvelistv5 – Published: 2026-06-30 11:04 – Updated: 2026-06-30 13:52
VLAI
EPSS
VEX
Title
Net::BitTorrent versions through 2.0.1 for Perl write files outside the download directory via path traversal in peer-supplied metadata
Summary
Net::BitTorrent versions through 2.0.1 for Perl write files outside the download directory via path traversal in peer-supplied metadata.
Net::BitTorrent validates file path components only on the .torrent-file ingest path. The peer and magnet metadata path (_on_metadata_received, reached from the BEP09 ut_metadata extension) passes attacker-supplied file names straight to Storage::add_file and Storage::_parse_file_tree, where Path::Tiny's child() does not collapse "..". A v2 file tree key, a v1 files[].path element, or a single-file name containing ".." segments therefore resolves outside the download directory.
Because the peer also controls the piece hashes and the served bytes, content verification passes, so a malicious magnet or peer writes attacker-chosen content to an attacker-chosen path on the downloading host.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/sanko/Net-BitTorrent.pm/securi… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SANKO | Net::BitTorrent |
Affected:
0 , ≤ 2.0.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-57079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T13:52:00.535187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T13:52:04.135Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-BitTorrent",
"product": "Net::BitTorrent",
"programFiles": [
"lib/Net/BitTorrent/Torrent.pm",
"lib/Net/BitTorrent/Storage.pm",
"lib/Net/BitTorrent/Storage/File.pm"
],
"programRoutines": [
{
"name": "Net::BitTorrent::Torrent::_on_metadata_received"
},
{
"name": "Net::BitTorrent::Storage::add_file"
},
{
"name": "Net::BitTorrent::Storage::_parse_file_tree"
}
],
"repo": "https://github.com/sanko/Net-BitTorrent.pm",
"vendor": "SANKO",
"versions": [
{
"lessThanOrEqual": "2.0.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::BitTorrent versions through 2.0.1 for Perl write files outside the download directory via path traversal in peer-supplied metadata.\n\nNet::BitTorrent validates file path components only on the .torrent-file ingest path. The peer and magnet metadata path (_on_metadata_received, reached from the BEP09 ut_metadata extension) passes attacker-supplied file names straight to Storage::add_file and Storage::_parse_file_tree, where Path::Tiny\u0027s child() does not collapse \"..\". A v2 file tree key, a v1 files[].path element, or a single-file name containing \"..\" segments therefore resolves outside the download directory.\n\nBecause the peer also controls the piece hashes and the served bytes, content verification passes, so a malicious magnet or peer writes attacker-chosen content to an attacker-chosen path on the downloading host."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T11:04:32.211Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/sanko/Net-BitTorrent.pm/security/advisories/GHSA-5wc6-r65f-62rr"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Net::BitTorrent versions through 2.0.1 for Perl write files outside the download directory via path traversal in peer-supplied metadata",
"workarounds": [
{
"lang": "en",
"value": "There is no fixed release. Validate metadata file path components on the peer and magnet ingest path as the .torrent-file path already does (reject components equal to \u0027\u0027, \u0027.\u0027, or \u0027..\u0027 or containing \u0027/\u0027 or \u0027\\\u0027), and confirm each resolved path stays within the download directory before writing."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-57079",
"datePublished": "2026-06-30T11:04:32.211Z",
"dateReserved": "2026-06-23T18:20:33.513Z",
"dateUpdated": "2026-06-30T13:52:04.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13758 (GCVE-0-2026-13758)
Vulnerability from cvelistv5 – Published: 2026-06-29 20:42 – Updated: 2026-06-30 13:56
VLAI
EPSS
VEX
Title
CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path
Summary
CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path.
The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison.
The timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message that verifies.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
3 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-29T22:24:14.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/29/19"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-13758",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T13:56:51.096991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T13:56:55.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "CryptX",
"product": "CryptX",
"programFiles": [
"inc/CryptX_AuthEnc_GCM.xs.inc",
"inc/CryptX_AuthEnc_CCM.xs.inc",
"inc/CryptX_AuthEnc_ChaCha20Poly1305.xs.inc",
"inc/CryptX_AuthEnc_EAX.xs.inc",
"inc/CryptX_AuthEnc_OCB.xs.inc"
],
"programRoutines": [
{
"name": "Crypt::AuthEnc::GCM::decrypt_done"
},
{
"name": "Crypt::AuthEnc::CCM::decrypt_done"
},
{
"name": "Crypt::AuthEnc::ChaCha20Poly1305::decrypt_done"
},
{
"name": "Crypt::AuthEnc::EAX::decrypt_done"
},
{
"name": "Crypt::AuthEnc::OCB::decrypt_done"
}
],
"repo": "https://github.com/DCIT/perl-CryptX",
"vendor": "MIK",
"versions": [
{
"lessThan": "0.088_001",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path.\n\nThe decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison.\n\nThe timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message that verifies."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:42:14.612Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/DCIT/perl-CryptX/commit/7e56347d420aaf43b2ee1586f4a230492ccf1642.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/MIK/CryptX-0.088_001/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to CryptX 0.088_001 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-13758",
"datePublished": "2026-06-29T20:42:14.612Z",
"dateReserved": "2026-06-29T17:50:18.724Z",
"dateUpdated": "2026-06-30T13:56:55.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56018 (GCVE-0-2026-56018)
Vulnerability from cvelistv5 – Published: 2026-06-29 19:38 – Updated: 2026-06-29 22:24
VLAI
EPSS
VEX
Title
JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth
Summary
JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth.
In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes without freeing their contents. Each token's contents buffer is therefore leaked on every call, and the two early returns taken when the node list is empty leak the whole NodeSet.
A long-lived process that minifies repeatedly, such as an asset pipeline or a server-side minifier endpoint, grows in memory without bound until it exhausts available memory and is killed, causing denial of service.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/bleargh45/JavaScript-Minifier-… | issue-tracking |
| https://metacpan.org/release/GTERMARS/JavaScript-… | release-notes |
| http://www.openwall.com/lists/oss-security/2026/0… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| GTERMARS | JavaScript::Minifier::XS |
Affected:
0 , < 0.16
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-56018",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:52:50.642184Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:53:13.994Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-29T22:24:36.940Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/29/17"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "JavaScript-Minifier-XS",
"product": "JavaScript::Minifier::XS",
"programFiles": [
"XS.xs"
],
"programRoutines": [
{
"name": "JsMinify"
}
],
"repo": "https://github.com/bleargh45/JavaScript-Minifier-XS",
"vendor": "GTERMARS",
"versions": [
{
"lessThan": "0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth.\n\nIn JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes without freeing their contents. Each token\u0027s contents buffer is therefore leaked on every call, and the two early returns taken when the node list is empty leak the whole NodeSet.\n\nA long-lived process that minifies repeatedly, such as an asset pipeline or a server-side minifier endpoint, grows in memory without bound until it exhausts available memory and is killed, causing denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T19:38:35.316Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/bleargh45/JavaScript-Minifier-XS/issues/10"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/GTERMARS/JavaScript-Minifier-XS-0.16/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to JavaScript::Minifier::XS version 0.16 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-56018",
"datePublished": "2026-06-29T19:38:35.316Z",
"dateReserved": "2026-06-18T11:27:09.117Z",
"dateUpdated": "2026-06-29T22:24:36.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56017 (GCVE-0-2026-56017)
Vulnerability from cvelistv5 – Published: 2026-06-29 19:38 – Updated: 2026-06-29 22:24
VLAI
EPSS
VEX
Title
JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash
Summary
JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash.
The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer.
The crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| GTERMARS | JavaScript::Minifier::XS |
Affected:
0 , < 0.16
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-56017",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:54:26.731930Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:55:00.530Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-29T22:24:35.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/29/16"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "JavaScript-Minifier-XS",
"product": "JavaScript::Minifier::XS",
"programFiles": [
"XS.xs"
],
"programRoutines": [
{
"name": "JsTokenizeString"
}
],
"repo": "https://github.com/bleargh45/JavaScript-Minifier-XS",
"vendor": "GTERMARS",
"versions": [
{
"lessThan": "0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash.\n\nThe regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token\u0027s last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer.\n\nThe crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T19:38:14.599Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/GTERMARS/JavaScript-Minifier-XS-0.16/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to JavaScript::Minifier::XS version 0.16 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-56017",
"datePublished": "2026-06-29T19:38:14.599Z",
"dateReserved": "2026-06-18T11:27:09.117Z",
"dateUpdated": "2026-06-29T22:24:35.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13593 (GCVE-0-2026-13593)
Vulnerability from cvelistv5 – Published: 2026-06-29 19:37 – Updated: 2026-06-29 22:24
VLAI
EPSS
VEX
Title
CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away
Summary
CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away.
The minify function has a memory leak when processing a document containing only characters to be removed, such as comments and whitespace.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| GTERMARS | CSS::Minifier::XS |
Affected:
0 , < 0.14
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-13593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:56:37.063926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:56:59.713Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-29T22:24:13.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/29/18"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "CSS-Minifier-XS",
"product": "CSS::Minifier::XS",
"repo": "https://github.com/bleargh45/CSS-Minifier-XS",
"vendor": "GTERMARS",
"versions": [
{
"lessThan": "0.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away.\n\nThe minify function has a memory leak when processing a document containing only characters to be removed, such as comments and whitespace."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T19:37:42.621Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/GTERMARS/CSS-Minifier-XS-0.14/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to CSS::Minifier::XS version 0.14 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-13593",
"datePublished": "2026-06-29T19:37:42.621Z",
"dateReserved": "2026-06-29T06:55:43.347Z",
"dateUpdated": "2026-06-29T22:24:13.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11702 (GCVE-0-2026-11702)
Vulnerability from cvelistv5 – Published: 2026-06-26 08:13 – Updated: 2026-07-01 14:35
VLAI
EPSS
VEX
Title
Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes
Summary
Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes.
When an object is initialised before forking, then the internal state for the PRNG is shared across processes and identical random streams will be produced.
Secrets generated in multiprocess applications are predictable across processes.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-335 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/daoswald/Bytes-Random-Secure-T… | issue-tracking |
| https://github.com/daoswald/Bytes-Random-Secure-T… | issue-tracking |
| https://security.metacpan.org/patches/B/Bytes-Ran… | patch |
| https://www.cve.org/CVERecord?id=CVE-2026-11625 | related |
| https://www.cve.org/CVERecord?id=CVE-2026-41564 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| DAVIDO | Bytes::Random::Secure::Tiny |
Affected:
0 , ≤ 1.011
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-11702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T16:22:12.310492Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:24:56.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Bytes-Random-Secure-Tiny",
"product": "Bytes::Random::Secure::Tiny",
"programFiles": [
"lib/Bytes/Random/Secure/Tiny.pm"
],
"repo": "https://github.com/daoswald/Bytes-Random-Secure-Tiny",
"vendor": "DAVIDO",
"versions": [
{
"lessThanOrEqual": "1.011",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes.\n\nWhen an object is initialised before forking, then the internal state for the PRNG is shared across processes and identical random streams will be produced.\n\nSecrets generated in multiprocess applications are predictable across processes."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-335",
"description": "CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:35:01.348Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/daoswald/Bytes-Random-Secure-Tiny/issues/6"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/daoswald/Bytes-Random-Secure-Tiny/pull/7"
},
{
"tags": [
"patch"
],
"url": "https://security.metacpan.org/patches/B/Bytes-Random-Secure-Tiny/1.011/CVE-2026-11702-r1.patch"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-11625"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41564"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-06-08T00:00:00.000Z",
"value": "Issue reported to CPANSec."
},
{
"lang": "en",
"time": "2026-06-08T00:00:00.000Z",
"value": "Maintainer notified."
},
{
"lang": "en",
"time": "2026-06-24T00:00:00.000Z",
"value": "Issue publicly reported on GitHub."
},
{
"lang": "en",
"time": "2026-06-30T00:00:00.000Z",
"value": "Patch merged."
}
],
"title": "Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes",
"workarounds": [
{
"lang": "en",
"value": "Apply the patch, if possible.\n\nOtherwise, ensure that the object is only instantiated in a child process after forking.\n\nAlternatively, use a different module such as Crypt::PRNG, Crypt::SysRandom or Crypt::URandom."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-11702",
"datePublished": "2026-06-26T08:13:56.386Z",
"dateReserved": "2026-06-08T22:09:13.472Z",
"dateUpdated": "2026-07-01T14:35:01.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11625 (GCVE-0-2026-11625)
Vulnerability from cvelistv5 – Published: 2026-06-26 08:07 – Updated: 2026-07-01 14:34
VLAI
EPSS
VEX
Title
Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes
Summary
Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes.
When an object is initialised before forking, or when the functional interface is used, then the internal state for the PRNG is shared across processes and identical random streams will be produced.
Secrets generated in multiprocess applications are predictable across processes.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-335 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/daoswald/Bytes-Random-Secure/i… | issue-tracking |
| https://github.com/daoswald/Bytes-Random-Secure/pull/4 | issue-tracking |
| https://security.metacpan.org/patches/B/Bytes-Ran… | patch |
| https://www.cve.org/CVERecord?id=CVE-2026-11702 | related |
| https://www.cve.org/CVERecord?id=CVE-2026-41564 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| DAVIDO | Bytes::Random::Secure |
Affected:
0 , ≤ 0.29
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-11625",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T16:14:14.671944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:14:22.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Bytes-Random-Secure",
"product": "Bytes::Random::Secure",
"programFiles": [
"lib/Bytes/Random/Secure.pm"
],
"repo": "https://github.com/daoswald/Bytes-Random-Secure",
"vendor": "DAVIDO",
"versions": [
{
"lessThanOrEqual": "0.29",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes.\n\nWhen an object is initialised before forking, or when the functional interface is used, then the internal state for the PRNG is shared across processes and identical random streams will be produced.\n\nSecrets generated in multiprocess applications are predictable across processes."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-335",
"description": "CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:34:43.953Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/daoswald/Bytes-Random-Secure/issues/3"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/daoswald/Bytes-Random-Secure/pull/4"
},
{
"tags": [
"patch"
],
"url": "https://security.metacpan.org/patches/B/Bytes-Random-Secure/0.29/CVE-2026-11625-r1.patch"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-11702"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41564"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-26T00:00:00.000Z",
"value": "Issue reported to CPANSec."
},
{
"lang": "en",
"time": "2026-06-08T00:00:00.000Z",
"value": "Maintainer notified."
},
{
"lang": "en",
"time": "2026-06-24T00:00:00.000Z",
"value": "Issue publicly reported on GitHub."
},
{
"lang": "en",
"time": "2026-06-30T00:00:00.000Z",
"value": "Patch merged."
}
],
"title": "Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes",
"workarounds": [
{
"lang": "en",
"value": "Apply the patch.\n\nOtherwise, only use the object-oriented interface and ensure that the object is only instantiated in a child process after forking.\n\nAlternatively, use a different module such as Crypt::PRNG, Crypt::SysRandom or Crypt::URandom."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-11625",
"datePublished": "2026-06-26T08:07:30.141Z",
"dateReserved": "2026-06-08T21:02:09.596Z",
"dateUpdated": "2026-07-01T14:34:43.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}