Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

CPAN Security Group

#9b29abf9-4ab0-4765-b253-1875cd9b441e
PolicyEmail

Short Name

CPANSec

Program Role

CNA

Root

Red Hat, Inc.

Top Level Root

MITRE Corporation

Security Advisories

View Advisories

Domain

security.metacpan.org

Country

Canada

Scope

Vulnerabilities in Perl and CPAN Modules (including End-of-Life Perl versions) found at https://perl.org, https://cpan.org, or https://metacpan.org/, excluding distributions of Perl or CPAN Modules maintained by third-party redistributors.
Reported CVEsVendorsProductsReports
229Vulnerabilities found

CVE-2026-9537
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-Not Assigned
EPSS-0.17% / 7.06%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 15:29
Updated-17 Jul, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison

Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison. The decode() method compares the supplied signature to the recomputed HMAC with Perl's eq operator, which stops at the first differing byte, so the comparison time varies with the number of matching leading bytes. A caller that decodes attacker supplied tokens leaks the expected signature through this timing variation, which can be aggregated over many requests to recover the signature and forge a token.

Action-Not Available
Vendor-JBERGER
Product-Mojo::JWT
CWE ID-CWE-208
Observable Timing Discrepancy
CVE-2026-14741
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-Not Assigned
EPSS-0.21% / 11.09%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 15:20
Updated-17 Jul, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parse_date

HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parse_date. parse_date() matches the date string against a chain of alternative regexes, and str2time() delegates to it. Several of these patterns place unbounded quantifiers next to each other before a trailing `\s*$` anchor. A valid date prefix followed by a long interior run of digits, letters, or whitespace and a single trailing byte that defeats the final match forces the engine to repartition the run, giving polynomial (about quadratic) backtracking. A header value of a few tens of kilobytes runs for tens of seconds of CPU. HTTP::Date parses timestamps such as HTTP `Date`, `Expires`, and `Last-Modified` headers, which commonly originate from untrusted sources. Any caller that passes an untrusted date header to str2time() or parse_date() can be driven to consume unbounded CPU, a denial of service.

Action-Not Available
Vendor-OALDERS
Product-HTTP::Date
CWE ID-CWE-1333
Inefficient Regular Expression Complexity
CVE-2026-13082
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 12.00%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 12:54
Updated-17 Jul, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GD::SecurityImage versions through 1.75 for Perl use rand to generate secrets

GD::SecurityImage versions through 1.75 for Perl use rand to generate secrets. The random method creates the challenge text used for the CAPTCHA by sampling characters from an array using Perl's built-in rand function, and generates a (by default) six-character string. The built-in rand function is unsuitable for security applications because it is predictable and reversible.

Action-Not Available
Vendor-BURAK
Product-GD::SecurityImage
CWE ID-CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE ID-CWE-804
Guessable CAPTCHA
CVE-2026-13410
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-8.2||HIGH
EPSS-0.24% / 15.33%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 12:50
Updated-17 Jul, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled

Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled. The default user agent is initialised with SSL_verify_mode explicitly disabled. An attacker with network man-in-the-middle (MITM) capability between the Dancer application and googleapis.com can intercept the OAuth2 token exchange and userinfo fetch, return a forged access_token and user profile, and be logged in to the Dancer application as any Google user.

Action-Not Available
Vendor-GARU
Product-Dancer::Plugin::Auth::Google
CWE ID-CWE-295
Improper Certificate Validation
CVE-2026-57077
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.7||HIGH
EPSS-0.15% / 4.50%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 21:41
Updated-17 Jul, 2026 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via an unbounded newline scan in newline_len

YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via an unbounded newline scan in newline_len. In the bundled libsyck newline_len and is_newline dereference the scan pointer, and the following byte for a "\r\n" pair, with no NUL-terminator or bounds check. During block-scalar lexing at a document boundary the scan runs one byte past the heap lexer buffer. This is an incomplete fix of CVE-2025-11683, on a lexer path the earlier fix did not cover. Any caller that runs Load or LoadFile on an untrusted document with a block scalar at a document boundary reaches the over-read.

Action-Not Available
Vendor-TODDR
Product-YAML::Syck
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-57076
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.8||HIGH
EPSS-0.13% / 2.96%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 21:40
Updated-17 Jul, 2026 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YAML::Syck versions before 1.47 for Perl allow a heap use-after-free via an anchor name reused as an anchors-table key in syck_hdlr_add_anchor

YAML::Syck versions before 1.47 for Perl allow a heap use-after-free via an anchor name reused as an anchors-table key in syck_hdlr_add_anchor. In the bundled libsyck an anchor name allocated by syck_strndup is stored both as node->anchor, freed when the node is freed, and as the key in the parser's anchors table. Freeing the node frees the shared key, and a later anchor redefinition makes st_delete compare against the freed key, so st_strcmp reads freed heap memory. Anchors are a standard YAML feature and need no special flags, so this is reached on the default Load path. Any caller that runs Load or LoadFile on an untrusted document that redefines an anchor reaches the read of freed memory.

Action-Not Available
Vendor-TODDR
Product-YAML::Syck
CWE ID-CWE-416
Use After Free
CVE-2026-57075
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.1||CRITICAL
EPSS-0.39% / 31.68%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 21:39
Updated-17 Jul, 2026 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via a signed-char lookup-table index in syck_base64dec

YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via a signed-char lookup-table index in syck_base64dec. The base64 decoder in the bundled libsyck indexes the 256-entry static table b64_xtable with a signed char, so any !!binary byte >= 0x80 sign-extends to a negative index and reads before the table. The decoder receives the raw bytes of any !!binary node, a standard YAML type not gated by $LoadBlessed or $LoadCode, so it is reached on the default Load path. Any caller that runs Load or LoadFile on an untrusted document containing a !!binary scalar with a high-bit byte triggers the read, and the value read can surface in the decoded result.

Action-Not Available
Vendor-TODDR
Product-YAML::Syck
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-13713
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-6.2||MEDIUM
EPSS-0.14% / 3.84%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 21:35
Updated-17 Jul, 2026 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YAML::Syck versions before 1.47 for Perl allow a use-after-free and double-free via an anchor node freed while still on the parser value stack

YAML::Syck versions before 1.47 for Perl allow a use-after-free and double-free via an anchor node freed while still on the parser value stack. In the bundled libsyck, when an anchor name is redefined or removed, syck_hdlr_add_anchor and syck_hdlr_remove_anchor free the node stored under that name with syck_free_node. That node can still be live on the parser's value stack, so syck_hdlr_add_node reaches it again and frees it a second time. On a normal build the 48-byte node chunk is freed twice and the interpreter aborts. Anchors need no special flags, so this is reached on the default Load path, and a 7-byte document that redefines an anchor triggers it. Any caller that runs Load or LoadFile on an untrusted document that redefines an anchor mid-parse crashes the interpreter, a denial of service.

Action-Not Available
Vendor-TODDR
Product-YAML::Syck
CWE ID-CWE-415
Double Free
CWE ID-CWE-416
Use After Free
CVE-2026-3031
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 32.46%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 16:22
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image::EPEG versions through 0.15 for Perl embeds an unsupported version of the Epeg library

Image::EPEG versions through 0.15 for Perl embeds an unsupported version of the Epeg library. Image::EPEG includes Epeg 0.9.0 that was last updated in 2004. Epeg is a fast JPEG thumbnail library that was once part of the Englightenment Project.

Action-Not Available
Vendor-TOKUHIROM
Product-Image::EPEG
CWE ID-CWE-1104
Use of Unmaintained Third Party Components
CVE-2026-57074
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.1||CRITICAL
EPSS-0.40% / 32.58%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 16:15
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XML::Bare versions through 0.53 for Perl have an unbounded character lookahead

XML::Bare versions through 0.53 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read.

Action-Not Available
Vendor-CODECHILD
Product-XML::Bare
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-57073
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.1||CRITICAL
EPSS-0.42% / 34.25%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 16:15
Updated-17 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead

HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read. Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.

Action-Not Available
Vendor-CODECHILD
Product-HTML::Bare
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-13401
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.39% / 31.11%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 16:14
Updated-17 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes

XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes. The parserc_parse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "<a ='c'>" or unbalanced quotes "<a b='''''''c'>" can trigger this condition.

Action-Not Available
Vendor-CODECHILD
Product-XML::Bare
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2026-13397
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.39% / 31.59%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 16:14
Updated-17 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTML::Bare versions through 0.04 for Perl will hang in an infinite loop when parsing malformed attributes

HTML::Bare versions through 0.04 for Perl will hang in an infinite loop when parsing malformed attributes. The parserc_parse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "<a ='c'>" or unbalanced quotes "<a b='''''''c'>" can trigger this condition. Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.

Action-Not Available
Vendor-CODECHILD
Product-HTML::Bare
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2026-15747
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.1||CRITICAL
EPSS-0.25% / 16.08%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 17:07
Updated-15 Jul, 2026 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle

Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. _csrf_token generates and caches one token per session and returns the same value on every call, and _csrf_field places that value in a hidden `csrf_token` input. When a response carrying the token also echoes attacker-controlled input and is gzip-compressed, the chosen values and the resulting compressed lengths form a BREACH oracle. An attacker able to query it can recover the token and pass csrf_protect validation.

Action-Not Available
Vendor-SRI
Product-Mojolicious
CWE ID-CWE-204
Observable Response Discrepancy
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-60082
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.1||CRITICAL
EPSS-0.65% / 47.19%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 15:35
Updated-15 Jul, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DBI versions before 1.651 for Perl do not enforce statement handle consistency with the row

DBI versions before 1.651 for Perl do not enforce statement handle consistency with the row. When the statement handle had no fields but the source row was non-empty, the internal row-buffer helper would read from a negative array index. This could be triggered by a caller supplying inconsistent metadata and rows to the prepare method.

Action-Not Available
Vendor-HMBRAND
Product-DBI
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-60081
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.63% / 46.13%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 15:34
Updated-15 Jul, 2026 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DBI::ProfileData versions before 1.651 for Perl do not limit the path index

DBI::ProfileData versions before 1.651 for Perl do not limit the path index. The path index column of profile dump files is used to allocate an array of data for the parser. An unbounded value allows an attacker to specify a large index and consume available memory.

Action-Not Available
Vendor-HMBRAND
Product-DBI::ProfileData
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-15392
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.7||HIGH
EPSS-0.20% / 9.52%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 15:34
Updated-15 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DBD::File versions before 1.651 for Perl do not ensure the table file is not a symlink to an untrusted location

DBD::File versions before 1.651 for Perl do not ensure the table file is not a symlink to an untrusted location. The complete_table_name method builds the absolute table file path without checking whether the file is a symbolic link. A link inside the data directory can point to a table file at any path outside of the configured f_dir and f_dir_search directories. Callers of file-based drivers can read or write files outside of the data directory.

Action-Not Available
Vendor-HMBRAND
Product-DBD::File
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CVE-2026-15043
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 40.27%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 09:44
Updated-14 Jul, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DBI::SQL::Nano versions from 1.42 before 1.651 for Perl have inverted <= and >= SQL operators on text

DBI::SQL::Nano versions from 1.42 before 1.651 for Perl have inverted <= and >= SQL operators on text. DBI::SQL::Nano, DBI's built-in mini-SQL engine, evaluated WHERE predicates incorrectly in some cases. In the non-numeric string branch of the is_matched method, <= was evaluated using Perl's ge operator, and >= was evaluated using Perl's le operator. SQL::Nano is the fallback query engine for DBI's file-backed drivers (DBD::File, DBD::DBM, CSV-style drivers) whenever SQL::Statement is not installed, and is forced whenever DBI_SQL_NANO=1. Queries over such tables use these predicates directly. The impact depends on the context. Where an application relies on a WHERE clause to filter file-backed data for policy or authorization, an inverted <=/>= comparison silently returns the wrong rows.

Action-Not Available
Vendor-HMBRAND
Product-DBI::SQL::Nano
CWE ID-CWE-480
Use of Incorrect Operator
CVE-2026-58102
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.1||CRITICAL
EPSS-0.22% / 12.79%
||
7 Day CHG~0.00%
Published-13 Jul, 2026 | 22:22
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow a heap out-of-bounds read via a long certificate extension OID in hv_exts

Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow a heap out-of-bounds read via a long certificate extension OID in hv_exts. When building the extension hash (via extensions(), extensions_by_long_name(), extensions_by_oid(), or has_extension_oid()), the code passes OBJ_obj2txt()'s return value as the hash-key length; because that value is the OID's full text length rather than the bytes written to the fixed-size buffer (129 bytes), an OID whose text is longer than the 129-byte buffer causes a read past the allocation, exposing adjacent heap memory as the returned hash key. extensions_by_name() uses the static shortname path and is not affected.

Action-Not Available
Vendor-JONASBN
Product-Crypt::OpenSSL::X509
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-58101
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.21% / 11.53%
||
7 Day CHG~0.00%
Published-13 Jul, 2026 | 22:17
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow denial of service via NULL pointer dereference

Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow denial of service via NULL pointer dereference. X509V3_EXT_d2i(ext) returns NULL when an extension's DER value fails to parse. basicC, ia5string, and auth_att dereference its result without a NULL check. keyid_data also dereferences akid->keyid, which is NULL for an empty AKI SEQUENCE (DER 30 00) even when the parse succeeds. A caller invoking an affected helper on an extension from an untrusted certificate triggers a SIGSEGV that crashes the Perl process.

Action-Not Available
Vendor-JONASBN
Product-Crypt::OpenSSL::X509
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2026-13221
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.1||CRITICAL
EPSS-0.61% / 45.03%
||
7 Day CHG~0.00%
Published-13 Jul, 2026 | 15:40
Updated-14 Jul, 2026 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk

Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk. When such branches are combined into a trie, the delta between the first branch and the shared tail is stored in a 16-bit field. A branch count above 65535 overflows the field, and the trie's match decision table is truncated with no warning or error. A pattern of this shape produces false positive matches (matching strings it should not) and false negative matches (failing to match strings it should). When such a pattern gates an access or filtering decision, the result is wrong.

Action-Not Available
Vendor-perlSHAY
Product-perlperl
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2026-57432
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-8.4||HIGH
EPSS-0.20% / 9.54%
||
7 Day CHG~0.00%
Published-13 Jul, 2026 | 15:38
Updated-14 Jul, 2026 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack

Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack. S_measure_struct adds each item's size times its repeat count to a running total with no overflow check, so a large repeat count in a pack or unpack template wraps the signed SSize_t total negative. The @, X, and x position codes then guard their moves with a signed length comparison that passes when the length is negative, advancing the buffer pointer out of bounds. A template derived from untrusted input can read heap memory past the buffer and return it to the caller.

Action-Not Available
Vendor-perlSHAY
Product-perlperl
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2026-57433
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.8||CRITICAL
EPSS-0.34% / 26.72%
||
7 Day CHG~0.00%
Published-13 Jul, 2026 | 15:37
Updated-14 Jul, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Storable versions before 3.41 for Perl have a signed integer overflow when deserializing a crafted SX_HOOK record

Storable versions before 3.41 for Perl have a signed integer overflow when deserializing a crafted SX_HOOK record. retrieve_hook_common reads a signed 32-bit item count from an SX_HOOK record and calls av_extend with that count plus one. A count of I32_MAX wraps the addition to a negative value. A crafted blob passed to thaw or retrieve triggers the overflow; av_extend receives the negative count and dies with a panic, terminating the deserialization.

Action-Not Available
Vendor-nwclarkHAARG
Product-storableStorable
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2026-49147
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.33% / 25.04%
||
7 Day CHG~0.00%
Published-08 Jul, 2026 | 14:55
Updated-08 Jul, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes

App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes. When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename. A file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer.

Action-Not Available
Vendor-PETDANCE
Product-App::Ack
CWE ID-CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
CVE-2026-49146
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.38% / 30.24%
||
7 Day CHG~0.00%
Published-08 Jul, 2026 | 14:55
Updated-08 Jul, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc

App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The -B and -C context options accepted any positive integer, and ack sized the before-context buffer to that value, so a project .ackrc setting --before-context=100000000 made ack allocate a buffer of 100 million elements. A project .ackrc committed to an untrusted repository can abort ack with an out-of-memory condition.

Action-Not Available
Vendor-PETDANCE
Product-App::Ack
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-49145
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.33% / 25.04%
||
7 Day CHG~0.00%
Published-08 Jul, 2026 | 14:55
Updated-08 Jul, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc

App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include --files-from, so a project .ackrc can set it to a path whose listed files ack then reads and searches. Version 3.10.0 added --follow to the blocklist; --files-from remains accepted. A project .ackrc committed to an untrusted repository can make ack read files outside the project and print their matching lines.

Action-Not Available
Vendor-PETDANCE
Product-App::Ack
CWE ID-CWE-426
Untrusted Search Path
CWE ID-CWE-73
External Control of File Name or Path
CVE-2026-14454
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 31.68%
||
7 Day CHG~0.00%
Published-08 Jul, 2026 | 12:30
Updated-09 Jul, 2026 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed

Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed. Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process. An attacker could craft an image with EXIF data that terminates a worker process.

Action-Not Available
Vendor-TONYC
Product-Imager
CWE ID-CWE-196
Unsigned to Signed Conversion Error
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CVE-2026-14895
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.39% / 31.52%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 22:12
Updated-08 Jul, 2026 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service

String::Util versions before 1.36 for Perl are susceptible to a regular expression denial of service. The trim and rtrim functions stripped trailing whitespace with s/\s*$//u. Because \s* matches greedily and the $ anchor fails whenever a non-whitespace character follows the whitespace, the regex engine retries the match at each offset of a long whitespace run, producing quadratic backtracking. The fix replaces \s*$ with \s+$. Any caller that passes untrusted input to trim or rtrim can trigger CPU exhaustion with a string containing a long run of whitespace.

Action-Not Available
Vendor-BAKERSCOT
Product-String::Util
CWE ID-CWE-1333
Inefficient Regular Expression Complexity
CVE-2026-14740
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.1||CRITICAL
EPSS-0.41% / 32.99%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 22:05
Updated-10 Jul, 2026 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment

DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byte. The result is a fault on memory-hardened builds and nondeterministic newline retention on normal builds.

Action-Not Available
Vendor-perlHMBRAND
Product-dbiDBI
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-14739
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 31.95%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 22:05
Updated-10 Jul, 2026 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders

DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders. The fix for CVE-2026-10879 did not allocate enough memory to handle approximately 1.2-million placeholders. DBI version 1.650 sets a hard limit of 99,999 placeholders.

Action-Not Available
Vendor-perlHMBRAND
Product-dbiDBI
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-14380
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-8.8||HIGH
EPSS-0.50% / 39.39%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 22:04
Updated-10 Jul, 2026 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile

DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name. Any caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands. The Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=>SPEC):db. An attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host.

Action-Not Available
Vendor-perlHMBRAND
Product-dbiDBI
CWE ID-CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CVE-2026-7017
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.1||HIGH
EPSS-0.26% / 17.57%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 17:41
Updated-08 Jul, 2026 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets

HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire. The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.

Action-Not Available
Vendor-HAARG
Product-HTTP::Tiny
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2011-10043
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 34.75%
||
7 Day CHG~0.00%
Published-07 Jul, 2026 | 11:46
Updated-07 Jul, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded

Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded. Module names starting with "::" could be passed to the load function to specify arbitrary module paths. Attackers able to influence module names passed to load could use that bug to execute arbitrary code.

Action-Not Available
Vendor-BINGOS
Product-Module::Load
CWE ID-CWE-145
Improper Neutralization of Section Delimiters
CVE-2026-13708
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.38% / 29.76%
||
7 Day CHG~0.00%
Published-06 Jul, 2026 | 12:04
Updated-06 Jul, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Imager::File::JPEG versions before 1.003 for Perl leak heap memory when reading a JPEG with repeated APP13 markers in i_readjpeg_wiol

Imager::File::JPEG versions before 1.003 for Perl leak heap memory when reading a JPEG with repeated APP13 markers in i_readjpeg_wiol. i_readjpeg_wiol walks the marker list libjpeg returns and, for each APP13 marker, allocates a new buffer with *iptc_itext = mymalloc(...) and overwrites the previous pointer without freeing it. Only the final payload is later turned into a Perl scalar and freed, so a JPEG with N such markers leaks the first N-1 payloads on every read. In a long-lived process, such as an upload or thumbnailing service, repeated reads accumulate these leaks and exhaust available memory, a denial of service. The same handler ships bundled in the Imager distribution, where versions before 1.032 are affected and the fix ships in 1.032.

Action-Not Available
Vendor-TONYC
Product-Imager::File::JPEG
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CVE-2026-13705
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.1||HIGH
EPSS-0.14% / 3.41%
||
7 Day CHG~0.00%
Published-06 Jul, 2026 | 12:03
Updated-06 Jul, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle

Imager versions before 1.032 for Perl have a heap out-of-bounds read in the bundled Imager::File::SGI reader via a 16-bit RLE literal run in read_rgb_16_rle. read_rgb_16_rle guards each literal run with if (count > data_left), but count is a pixel count while every 16-bit sample consumes two bytes. The copy loop reads inp[0] * 256 + inp[1] and advances two bytes per pixel, so a run with data_left / 2 < count <= data_left passes the guard yet consumes 2 * count bytes and reads past the end of the buffer. The 8-bit path is unaffected because there one pixel is one byte. Reading a crafted SGI image through Imager->read triggers the over-read before the parser rejects the malformed image, which can crash the process.

Action-Not Available
Vendor-TONYC
Product-Imager
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-14803
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-6.5||MEDIUM
EPSS-0.33% / 25.19%
||
7 Day CHG~0.00%
Published-06 Jul, 2026 | 01:34
Updated-06 Jul, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder

Mojo::JSON versions before 9.47 for Perl allow memory exhaustion via unbounded recursion in the pure-Perl decoder. The pure-Perl decode path (`_decode_value` dispatching to `_decode_array` and `_decode_object`) recurses with no depth limit, so a small deeply nested JSON document can consume excessive memory. This path is the default when Cpanel::JSON::XS is not installed or `MOJO_NO_JSON_XS=1` is set; the Cpanel::JSON::XS fast path is not affected. Any caller that decodes an untrusted JSON body, for example `Mojo::Message::json` reached through `$c->req->json`, can exhaust process memory and cause denial of service.

Action-Not Available
Vendor-SRI
Product-Mojo::JSON
CWE ID-CWE-674
Uncontrolled Recursion
CVE-2026-14570
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.51% / 40.02%
||
7 Day CHG~0.00%
Published-05 Jul, 2026 | 01:30
Updated-06 Jul, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery

Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery. "Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values." An attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack. Keys used to sign with an affected version should be considered compromised and new keys should be generated.

Action-Not Available
Vendor-TIMLEGGE
Product-Crypt::DSA
CWE ID-CWE-330
Use of Insufficiently Random Values
CVE-2026-12740
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-8.1||HIGH
EPSS-0.17% / 6.81%
||
7 Day CHG~0.00%
Published-04 Jul, 2026 | 17:58
Updated-06 Jul, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter

Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter. RequestTokenV2 builds the provider authorization redirect without issuing a state value, and AccessTokenV2 exchanges the callback code and registers the resulting token into the session (register_session) without verifying that the callback corresponds to an authorization request this session initiated. Any application that uses this middleware for OAuth 2.0 login is exposed to login cross-site request forgery: because the callback is not bound to the session that began the flow, an attacker who starts an authorization with their own provider account can deliver the resulting callback to a victim, causing the victim's session to complete the attacker's authorization and associating the attacker's provider identity and access token with that session. Where the application persists this as an account link, the attacker may retain access to the victim's account through their own provider credentials.

Action-Not Available
Vendor-CORNELIUS
Product-Plack::Middleware::OAuth
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-12746
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-8.1||HIGH
EPSS-0.19% / 8.38%
||
7 Day CHG~0.00%
Published-04 Jul, 2026 | 17:52
Updated-06 Jul, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter

Dancer2::Plugin::Auth::OAuth::Provider versions before 0.23 for Perl do not support the OAuth 2.0 state parameter. The authentication_url method builds the provider authorization redirect without issuing a state value, and the callback method exchanges the callback code and registers the resulting token into the session without verifying that the callback corresponds to an authorization request this session initiated. Any application that uses this plugin for OAuth 2.0 login is exposed to login cross-site request forgery: because the callback is not bound to the session that began the flow, an attacker who starts an authorization with their own provider account can deliver the resulting callback to a victim, causing the victim's session to complete the attacker's authorization and associating the attacker's provider identity and access token with that session. Where the application persists this as an account link, the attacker may retain access to the victim's account through their own provider credentials.

Action-Not Available
Vendor-BIAFRA
Product-Dancer2::Plugin::Auth::OAuth::Provider
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-56015
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.1||CRITICAL
EPSS-0.54% / 41.63%
||
7 Day CHG~0.00%
Published-03 Jul, 2026 | 12:56
Updated-06 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length

Net::IP::LPM versions through 1.10 for Perl allow a heap out-of-bounds read via an unbounded prefix length. add() passes the prefix string to the trie builder addPrefixToTrie() without checking it against the address width. addPrefixToTrie() then walks the prefix buffer by prefix_length bits, reading prefix[byte] for byte up to prefix_len/8, where prefix is the 4-byte (IPv4) or 16-byte (IPv6) packed address. A prefix length greater than 32 for IPv4 or 128 for IPv6, for example add("1.2.3.4/255", $v) or add("2001:db8::/255", $v), reads past the end of the packed address. The out-of-bounds read happens during trie construction and is bounded: the prefix length is stored as an unsigned char, so the bit walk reads at most 32 bytes from the start of the packed address, a short distance past the end of the 4-byte or 16-byte buffer. It is detectable under AddressSanitizer, valgrind, or a hardened allocator, where it can abort the process. Lookups and dump() format only the valid address width, so the out-of-bounds bytes are not exposed through the module's API.

Action-Not Available
Vendor-TPODER
Product-Net::IP::LPM
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-15646
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.8||CRITICAL
EPSS-0.66% / 47.59%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 14:38
Updated-01 Jul, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion

HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion. Support for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses. Any caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected.

Action-Not Available
Vendor-BPS
Product-HTML::Gumbo
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-843
Access of Resource Using Incompatible Type ('Type Confusion')
CVE-2026-56016
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-5.9||MEDIUM
EPSS-0.32% / 24.34%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 06:46
Updated-01 Jul, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources

CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.

Action-Not Available
Vendor-MARKSTOS
Product-CGI::Session::ID::md5
CWE ID-CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE ID-CWE-340
Generation of Predictable Numbers or Identifiers
CVE-2026-13766
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 27.21%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 11:20
Updated-30 Jun, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers

DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers. The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected. A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.

Action-Not Available
Vendor-EXODIST
Product-DBIx::QuickORM
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-57082
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-5.9||MEDIUM
EPSS-0.15% / 4.83%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 11:05
Updated-30 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Net::BitTorrent versions through 2.0.1 for Perl generate the MSE Diffie-Hellman private key with a non-cryptographic PRNG

Net::BitTorrent versions through 2.0.1 for Perl generate the MSE Diffie-Hellman private key with a non-cryptographic PRNG. The MSE (Message Stream Encryption) handshake derives its 160-bit Diffie-Hellman private key from Perl's rand(), a non-cryptographic drand48-class generator seeded once per process, in KeyExchange.pm. The shared secret and the RC4 keys derived from it (the SHA-1 of "keyA" or "keyB", the shared secret, and the infohash) therefore depend entirely on a predictable PRNG. The same handshake sends, in cleartext, random padding drawn from the same rand() sequence in _random_pad, immediately after the public key and the private-key draw. A passive observer of the handshake recovers the PRNG state from the cleartext padding, reconstructs the private key, computes the shared secret from the peer's public key on the wire, derives the RC4 keys, and decrypts the connection, defeating the passive-observation obfuscation MSE provides.

Action-Not Available
Vendor-SANKO
Product-Net::BitTorrent
CWE ID-CWE-330
Use of Insufficiently Random Values
CWE ID-CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CVE-2026-57081
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.26% / 17.81%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 11:05
Updated-30 Jun, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses. A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.

Action-Not Available
Vendor-SANKO
Product-Net::BitTorrent
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-674
Uncontrolled Recursion
CVE-2026-57080
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.26% / 17.81%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 11:04
Updated-30 Jun, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix. The peer-wire framing in _process_messages trusts the 4-byte length prefix sent by a connected peer with no upper bound, while receive_data appends every inbound byte to the input buffer. A peer announces a length prefix of up to about 4 GiB and then streams bytes; the decoder waits until the buffer holds the full message before processing it, so the buffer grows without limit. Peer connections are unauthenticated, so any peer in the swarm exhausts the downloading process's memory. The largest legitimate message is a 16 KiB piece block, so any announced length far above that is anomalous.

Action-Not Available
Vendor-SANKO
Product-Net::BitTorrent
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-57079
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-5.3||MEDIUM
EPSS-0.28% / 20.19%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 11:04
Updated-30 Jun, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Net::BitTorrent versions through 2.0.1 for Perl write files outside the download directory via path traversal in peer-supplied metadata

Net::BitTorrent versions through 2.0.1 for Perl write files outside the download directory via path traversal in peer-supplied metadata. Net::BitTorrent validates file path components only on the .torrent-file ingest path. The peer and magnet metadata path (_on_metadata_received, reached from the BEP09 ut_metadata extension) passes attacker-supplied file names straight to Storage::add_file and Storage::_parse_file_tree, where Path::Tiny's child() does not collapse "..". A v2 file tree key, a v1 files[].path element, or a single-file name containing ".." segments therefore resolves outside the download directory. Because the peer also controls the piece hashes and the served bytes, content verification passes, so a malicious magnet or peer writes attacker-chosen content to an attacker-chosen path on the downloading host.

Action-Not Available
Vendor-SANKO
Product-Net::BitTorrent
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-13758
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-3.7||LOW
EPSS-0.29% / 21.41%
||
7 Day CHG~0.00%
Published-29 Jun, 2026 | 20:42
Updated-30 Jun, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path

CryptX versions before 0.088_001 for Perl compare AEAD authentication tags in non-constant time in the streaming decrypt_done path. The decrypt_done($tag) form compares it against the computed tag with memNE (memcmp() != 0), which short-circuits on the first differing byte, so its run time depends on the number of matching leading bytes. This affects all five AEAD modes: GCM, CCM, ChaCha20Poly1305, EAX and OCB. The one-shot *_decrypt_verify helpers are unaffected; they verify the tag inside libtomcrypt with a constant-time comparison. The timing difference is a tag-verification oracle. An attacker who can submit many candidate tags for the same nonce, ciphertext and associated data while measuring the timing precisely enough may recover the expected tag byte by byte and forge a message that verifies.

Action-Not Available
Vendor-MIK
Product-CryptX
CWE ID-CWE-208
Observable Timing Discrepancy
CVE-2026-56018
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.61% / 45.18%
||
7 Day CHG~0.00%
Published-29 Jun, 2026 | 19:38
Updated-30 Jun, 2026 | 14:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth

JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth. In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes without freeing their contents. Each token's contents buffer is therefore leaked on every call, and the two early returns taken when the node list is empty leak the whole NodeSet. A long-lived process that minifies repeatedly, such as an asset pipeline or a server-side minifier endpoint, grows in memory without bound until it exhausts available memory and is killed, causing denial of service.

Action-Not Available
Vendor-GTERMARS
Product-JavaScript::Minifier::XS
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CVE-2026-56017
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.49% / 38.80%
||
7 Day CHG~0.00%
Published-29 Jun, 2026 | 19:38
Updated-30 Jun, 2026 | 14:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash

JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer. The crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.

Action-Not Available
Vendor-GTERMARS
Product-JavaScript::Minifier::XS
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-476
NULL Pointer Dereference
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • Next