Search criteria
2 vulnerabilities found for Plack::Middleware::XSendfile by MIYAGAWA
CVE-2026-7381 (GCVE-0-2026-7381)
Vulnerability from nvd – Published: 2026-04-29 22:13 – Updated: 2026-04-30 13:18
VLAI?
Title
Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting
Summary
Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.
Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.
A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.
Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.
This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.
Severity ?
9.1 (Critical)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://metacpan.org/release/MIYAGAWA/Plack-1.005… | release-notes |
| https://metacpan.org/release/MIYAGAWA/Plack-1.005… | technical-description |
| https://nvd.nist.gov/vuln/detail/CVE-2025-61780 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MIYAGAWA | Plack::Middleware::XSendfile |
Affected:
0 , ≤ 1.0053
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-30T13:18:16.234435Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T13:18:45.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Plack",
"product": "Plack::Middleware::XSendfile",
"programFiles": [
"lib/Plack/Middleware::XSendfile.pm"
],
"repo": "https://github.com/plack/Plack",
"vendor": "MIYAGAWA",
"versions": [
{
"lessThanOrEqual": "1.0053",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "CPANSec"
}
],
"descriptions": [
{
"lang": "en",
"value": "Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.\n\nPlack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.\n\nA malicious client can set the X-Sendfile-Type header to \"X-Accel-Redirect\" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.\n\nSince 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.\n\nThis is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the \"X-Accel-Redirect\" type."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-441",
"description": "CWE-441 Unintended Proxy or Intermediary",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T22:13:35.351Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes"
},
{
"tags": [
"technical-description"
],
"url": "https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSendfile.pm#DEPRECATION-NOTICE"
},
{
"tags": [
"related"
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61780"
}
],
"solutions": [
{
"lang": "en",
"value": "Users are encouraged to set the appropriate header directly in their applications, or write their own middleware layer that does not allow configuration to be passed via HTTP request headers."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2025-10-10T00:00:00.000Z",
"value": "Issue for Rack::Sendfile reported"
},
{
"lang": "en",
"time": "2026-04-27T00:00:00.000Z",
"value": "Issue reported to maintainer of Plack"
},
{
"lang": "en",
"time": "2025-04-28T00:00:00.000Z",
"value": "Plack 1.0052 released with improved security documentation in Plack::Middleware::XSendfile"
},
{
"lang": "en",
"time": "2025-04-29T00:00:00.000Z",
"value": "Plack 1.0053 released that deprecates Plack::Middleware::XSendfile"
}
],
"title": "Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting",
"workarounds": [
{
"lang": "en",
"value": "Users can configure the X-Sendfile-Type in the middleware constructor, and the reverse proxy to unset the X-Sendfile-Type header and (on nginx) the X-Accel-Mapping request header."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-7381",
"datePublished": "2026-04-29T22:13:35.351Z",
"dateReserved": "2026-04-29T07:43:55.519Z",
"dateUpdated": "2026-04-30T13:18:45.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7381 (GCVE-0-2026-7381)
Vulnerability from cvelistv5 – Published: 2026-04-29 22:13 – Updated: 2026-04-30 13:18
VLAI?
Title
Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting
Summary
Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.
Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.
A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.
Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.
This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.
Severity ?
9.1 (Critical)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://metacpan.org/release/MIYAGAWA/Plack-1.005… | release-notes |
| https://metacpan.org/release/MIYAGAWA/Plack-1.005… | technical-description |
| https://nvd.nist.gov/vuln/detail/CVE-2025-61780 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MIYAGAWA | Plack::Middleware::XSendfile |
Affected:
0 , ≤ 1.0053
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-30T13:18:16.234435Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T13:18:45.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Plack",
"product": "Plack::Middleware::XSendfile",
"programFiles": [
"lib/Plack/Middleware::XSendfile.pm"
],
"repo": "https://github.com/plack/Plack",
"vendor": "MIYAGAWA",
"versions": [
{
"lessThanOrEqual": "1.0053",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "CPANSec"
}
],
"descriptions": [
{
"lang": "en",
"value": "Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.\n\nPlack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.\n\nA malicious client can set the X-Sendfile-Type header to \"X-Accel-Redirect\" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.\n\nSince 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.\n\nThis is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the \"X-Accel-Redirect\" type."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-441",
"description": "CWE-441 Unintended Proxy or Intermediary",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T22:13:35.351Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes"
},
{
"tags": [
"technical-description"
],
"url": "https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSendfile.pm#DEPRECATION-NOTICE"
},
{
"tags": [
"related"
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61780"
}
],
"solutions": [
{
"lang": "en",
"value": "Users are encouraged to set the appropriate header directly in their applications, or write their own middleware layer that does not allow configuration to be passed via HTTP request headers."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2025-10-10T00:00:00.000Z",
"value": "Issue for Rack::Sendfile reported"
},
{
"lang": "en",
"time": "2026-04-27T00:00:00.000Z",
"value": "Issue reported to maintainer of Plack"
},
{
"lang": "en",
"time": "2025-04-28T00:00:00.000Z",
"value": "Plack 1.0052 released with improved security documentation in Plack::Middleware::XSendfile"
},
{
"lang": "en",
"time": "2025-04-29T00:00:00.000Z",
"value": "Plack 1.0053 released that deprecates Plack::Middleware::XSendfile"
}
],
"title": "Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting",
"workarounds": [
{
"lang": "en",
"value": "Users can configure the X-Sendfile-Type in the middleware constructor, and the reverse proxy to unset the X-Sendfile-Type header and (on nginx) the X-Accel-Mapping request header."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-7381",
"datePublished": "2026-04-29T22:13:35.351Z",
"dateReserved": "2026-04-29T07:43:55.519Z",
"dateUpdated": "2026-04-30T13:18:45.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}