Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-11526
PUBLISHED
More InfoOfficial Page
Assigner-CPANSec
Assigner Org ID-9b29abf9-4ab0-4765-b253-1875cd9b441e
View Known Exploited Vulnerability (KEV) details
Published At-14 Jun, 2026 | 11:39
Updated At-21 Jun, 2026 | 13:34
Rejected At-
▼CVE Numbering Authority (CNA)
GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle

GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle. GD::Image::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. _make_filehandle is the single open path behind every filename-accepting constructor (new, newFromPng, newFromJpeg, and the rest); the in-memory *Data variants do not open a path and are unaffected. Any caller that forwards untrusted input to one of these constructors as a pathname can run an arbitrary command or truncate a file under the process UID.

Affected Products
Vendor
RURBAN
Product
GD
Collection URL
https://cpan.org/modules
Package Name
GD
Repo
https://github.com/lstein/Perl-GD
Program Files
  • lib/GD/Image.pm
  • lib/GD/Image_pm.PL
Program Routines
  • GD::Image::_make_filehandle
Default Status
unaffected
Versions
Affected
  • From 0 before 2.86 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-78CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWECWE-73CWE-73 External Control of File Name or Path
Type: CWE
CWE ID: CWE-78
Description: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Type: CWE
CWE ID: CWE-73
Description: CWE-73 External Control of File Name or Path
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Upgrade to GD 2.86 or later, which opens filename arguments with a 3-arg read open so the filename is never interpreted as a command or redirect.

Configurations
Workarounds

For deployments that cannot upgrade to 2.86, do not pass untrusted input as a pathname to GD::Image constructors. Callers can open the file themselves and pass the resulting filehandle, which bypasses the affected string path.

Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/lstein/Perl-GD/commit/67b163713c6c78dfeb693da0978ae934e5cd8210.patch
patch
https://metacpan.org/release/RURBAN/GD-2.86/changes
release-notes
Hyperlink: https://github.com/lstein/Perl-GD/commit/67b163713c6c78dfeb693da0978ae934e5cd8210.patch
Resource:
patch
Hyperlink: https://metacpan.org/release/RURBAN/GD-2.86/changes
Resource:
release-notes
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2026/06/14/4
N/A
https://lists.debian.org/debian-lts-announce/2026/06/msg00027.html
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/06/14/4
Resource: N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2026/06/msg00027.html
Resource: N/A
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found