Search
Find a vulnerability
Search criteria
8 vulnerabilities by oalders
CVE-2026-8829 (GCVE-0-2026-8829)
Vulnerability from nvd – Published: 2026-06-04 02:03 – Updated: 2026-06-28 11:34
VLAI
EPSS
VEX
Title
HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities
Summary
HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities.
The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation.
The read may disclose adjacent heap contents into the destination SV.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OALDERS | HTML::Entities |
Affected:
0 , < 3.84
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-28T11:34:26.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/04/2"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00044.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8829",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T12:59:04.771815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T12:59:07.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "HTML-Parser",
"product": "HTML::Entities",
"programFiles": [
"util.c"
],
"programRoutines": [
{
"name": "HTML::Entities::_decode_entities"
}
],
"repo": "https://github.com/libwww-perl/HTML-Parser",
"vendor": "OALDERS",
"versions": [
{
"lessThan": "3.84",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities.\n\nThe XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV\u0027s PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation.\n\nThe read may disclose adjacent heap contents into the destination SV."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T02:03:46.702Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/libwww-perl/HTML-Parser/pull/56"
},
{
"tags": [
"patch"
],
"url": "https://github.com/libwww-perl/HTML-Parser/commit/6922552b0778c90a9587a3894e248be4d3a25e1c.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to HTML-Parser 3.84 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-12T00:00:00.000Z",
"value": "Issue reported."
},
{
"lang": "en",
"time": "2026-05-19T00:00:00.000Z",
"value": "HTML-Parser 3.84 released."
}
],
"title": "HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-8829",
"datePublished": "2026-06-04T02:03:46.702Z",
"dateReserved": "2026-05-18T13:24:05.252Z",
"dateUpdated": "2026-06-28T11:34:26.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8450 (GCVE-0-2026-8450)
Vulnerability from nvd – Published: 2026-05-27 04:22 – Updated: 2026-07-07 12:04
VLAI
EPSS
VEX
Title
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file()
Summary
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().
send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.
Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.
Severity
9.1 (Critical)
8.1 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
11 references
| URL | Tags |
|---|---|
| https://github.com/libwww-perl/HTTP-Daemon/pull/89 | issue-tracking |
| https://github.com/libwww-perl/HTTP-Daemon/commit… | patch |
| https://metacpan.org/release/OALDERS/HTTP-Daemon-… | release-notes |
| http://www.openwall.com/lists/oss-security/2026/05/27/5 | |
| https://lists.debian.org/debian-lts-announce/2026… | |
| https://access.redhat.com/security/cve/CVE-2026-8450 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2481773 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:36189 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:36188 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:36187 | vendor-advisoryx_refsource_REDHAT |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| OALDERS | HTTP::Daemon |
Affected:
0 , < 6.17
(custom)
|
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux CRB (v. 8) |
cpe:/a:redhat:enterprise_linux:8::crb |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 9) |
cpe:/a:redhat:enterprise_linux:9::crb |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-22T07:58:11.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/27/5"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00028.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8450",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T15:46:44.248133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:54:59.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-27T04:22:26.539Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in HTTP::Daemon, a Perl module used for creating HTTP servers. A remote attacker can exploit this vulnerability by providing specially crafted input to the `send_file()` function, leading to OS command injection. This allows the attacker to execute arbitrary commands on the system with the privileges of the daemon process, potentially resulting in full system compromise or data manipulation."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T12:04:46.594Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-8450"
},
{
"name": "RHBZ#2481773",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481773"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8450.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36189"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36188"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36187"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:36189: Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:36188: Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:36187: Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-27T05:00:58.395Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-27T04:22:26.539Z",
"value": "Made public."
}
],
"title": "perl-HTTP-Daemon: HTTP::Daemon: Arbitrary code execution via OS command injection in send_file()",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "HTTP-Daemon",
"product": "HTTP::Daemon",
"programFiles": [
"lib/HTTP/Daemon.pm"
],
"programRoutines": [
{
"name": "HTTP::Daemon::ClientConn::send_file"
}
],
"repo": "https://github.com/libwww-perl/HTTP-Daemon",
"vendor": "OALDERS",
"versions": [
{
"lessThan": "6.17",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().\n\nsend_file() opens its string argument with Perl\u0027s 2-arg open(). The 2-arg form interprets magic prefixes: \u0027| cmd\u0027 and \u0027cmd |\u0027 open a pipe to a subprocess, \u0027\u003e path\u0027 and \u0027\u003e\u003e path\u0027 open the path for write or append.\n\nUntrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form (\u0027cmd |\u0027) also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T04:22:26.539Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/libwww-perl/HTTP-Daemon/pull/89"
},
{
"tags": [
"patch"
],
"url": "https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to HTTP-Daemon 6.17 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-12T00:00:00.000Z",
"value": "Issue identified."
},
{
"lang": "en",
"time": "2026-05-19T00:00:00.000Z",
"value": "HTTP-Daemon 6.17 released."
}
],
"title": "HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file()",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-8450",
"datePublished": "2026-05-27T04:22:26.539Z",
"dateReserved": "2026-05-12T21:26:04.212Z",
"dateUpdated": "2026-07-07T12:04:46.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8612 (GCVE-0-2026-8612)
Vulnerability from nvd – Published: 2026-05-15 01:11 – Updated: 2026-05-15 14:31
VLAI
EPSS
VEX
Title
WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution
Summary
WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution.
With no explicit cache backend, WWW::Mechanize::Cached constructs a default Cache::FileCache under /tmp/FileCache without overriding the backend's documented directory_umask of 000, so the cache root and its subdirectories are created mode 0777 with no sticky bit. Cache entries are named by sha1_hex of the request and read back through Storable::thaw on the next cache hit.
A local attacker with write access to the cache tree can replace a victim's cache entry for a known URL with an arbitrary frozen HTTP::Response blob, causing the victim's next get() of that URL to return attacker controlled response bytes. Because the bytes are passed to Storable::thaw, a victim process that has loaded any class with a side-effectful STORABLE_thaw, DESTROY, or overload hook can be escalated to arbitrary code execution.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OALDERS | WWW::Mechanize::Cached |
Affected:
0 , < 2.00
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-15T05:18:42.682Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/15/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8612",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T14:30:45.332316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T14:31:14.593Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "WWW-Mechanize-Cached",
"product": "WWW::Mechanize::Cached",
"programFiles": [
"lib/WWW/Mechanize/Cached.pm"
],
"programRoutines": [
{
"name": "WWW::Mechanize::Cached::_build_cache"
},
{
"name": "WWW::Mechanize::Cached::_make_request"
}
],
"repo": "https://github.com/libwww-perl/WWW-Mechanize-Cached",
"vendor": "OALDERS",
"versions": [
{
"lessThan": "2.00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution.\n\nWith no explicit cache backend, WWW::Mechanize::Cached constructs a default Cache::FileCache under /tmp/FileCache without overriding the backend\u0027s documented directory_umask of 000, so the cache root and its subdirectories are created mode 0777 with no sticky bit. Cache entries are named by sha1_hex of the request and read back through Storable::thaw on the next cache hit.\n\nA local attacker with write access to the cache tree can replace a victim\u0027s cache entry for a known URL with an arbitrary frozen HTTP::Response blob, causing the victim\u0027s next get() of that URL to return attacker controlled response bytes. Because the bytes are passed to Storable::thaw, a victim process that has loaded any class with a side-effectful STORABLE_thaw, DESTROY, or overload hook can be escalated to arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T01:11:55.018Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/libwww-perl/WWW-Mechanize-Cached/pull/36"
},
{
"tags": [
"patch"
],
"url": "https://github.com/libwww-perl/WWW-Mechanize-Cached/commit/b821647deeedf83490ebc1db91d959d942300ce0.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/OALDERS/WWW-Mechanize-Cached-2.00/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to WWW-Mechanize-Cached 2.00 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-13T00:00:00.000Z",
"value": "Issue reported."
},
{
"lang": "en",
"time": "2026-05-14T00:00:00.000Z",
"value": "WWW-Mechanize-Cached 2.00 released with fix."
}
],
"title": "WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-8612",
"datePublished": "2026-05-15T01:11:55.018Z",
"dateReserved": "2026-05-14T16:30:23.954Z",
"dateUpdated": "2026-05-15T14:31:14.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8368 (GCVE-0-2026-8368)
Vulnerability from nvd – Published: 2026-05-12 14:01 – Updated: 2026-05-19 17:16
VLAI
EPSS
VEX
Title
LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects
Summary
LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects.
On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes.
A redirect to an attacker controlled host therefore discloses the caller's credentials to that host.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
5 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OALDERS | LWP::UserAgent |
Affected:
0 , < 6.83
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-12T17:41:03.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/12/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8368",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T14:30:39.897128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T17:16:03.676Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "libwww-perl",
"product": "LWP::UserAgent",
"programFiles": [
"lib/LWP/UserAgent.pm"
],
"programRoutines": [
{
"name": "LWP::UserAgent::request"
}
],
"repo": "https://github.com/libwww-perl/libwww-perl",
"vendor": "OALDERS",
"versions": [
{
"lessThan": "6.83",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kai Aizen"
}
],
"descriptions": [
{
"lang": "en",
"value": "LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects.\n\nOn a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes.\n\nA redirect to an attacker controlled host therefore discloses the caller\u0027s credentials to that host."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T14:01:25.365Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/libwww-perl/libwww-perl/commit/9c4aeb6f2dd32f2b7eaf2d7827cade31ea6cb2c6.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/OALDERS/libwww-perl-6.83/changes"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/libwww-perl/libwww-perl/pull/512"
},
{
"tags": [
"related"
],
"url": "https://github.com/libwww-perl/libwww-perl/pull/284"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to libwww-perl 6.83 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-11T00:00:00.000Z",
"value": "Issue reported."
},
{
"lang": "en",
"time": "2026-05-12T00:00:00.000Z",
"value": "libwww-perl 6.83 released with fix."
}
],
"title": "LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-8368",
"datePublished": "2026-05-12T14:01:25.365Z",
"dateReserved": "2026-05-11T21:33:14.480Z",
"dateUpdated": "2026-05-19T17:16:03.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8829 (GCVE-0-2026-8829)
Vulnerability from cvelistv5 – Published: 2026-06-04 02:03 – Updated: 2026-06-28 11:34
VLAI
EPSS
VEX
Title
HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities
Summary
HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities.
The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation.
The read may disclose adjacent heap contents into the destination SV.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OALDERS | HTML::Entities |
Affected:
0 , < 3.84
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-28T11:34:26.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/04/2"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00044.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8829",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T12:59:04.771815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T12:59:07.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "HTML-Parser",
"product": "HTML::Entities",
"programFiles": [
"util.c"
],
"programRoutines": [
{
"name": "HTML::Entities::_decode_entities"
}
],
"repo": "https://github.com/libwww-perl/HTML-Parser",
"vendor": "OALDERS",
"versions": [
{
"lessThan": "3.84",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities.\n\nThe XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV\u0027s PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation.\n\nThe read may disclose adjacent heap contents into the destination SV."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T02:03:46.702Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/libwww-perl/HTML-Parser/pull/56"
},
{
"tags": [
"patch"
],
"url": "https://github.com/libwww-perl/HTML-Parser/commit/6922552b0778c90a9587a3894e248be4d3a25e1c.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to HTML-Parser 3.84 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-12T00:00:00.000Z",
"value": "Issue reported."
},
{
"lang": "en",
"time": "2026-05-19T00:00:00.000Z",
"value": "HTML-Parser 3.84 released."
}
],
"title": "HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-8829",
"datePublished": "2026-06-04T02:03:46.702Z",
"dateReserved": "2026-05-18T13:24:05.252Z",
"dateUpdated": "2026-06-28T11:34:26.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8450 (GCVE-0-2026-8450)
Vulnerability from cvelistv5 – Published: 2026-05-27 04:22 – Updated: 2026-07-07 12:04
VLAI
EPSS
VEX
Title
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file()
Summary
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().
send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.
Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.
Severity
9.1 (Critical)
8.1 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
11 references
| URL | Tags |
|---|---|
| https://github.com/libwww-perl/HTTP-Daemon/pull/89 | issue-tracking |
| https://github.com/libwww-perl/HTTP-Daemon/commit… | patch |
| https://metacpan.org/release/OALDERS/HTTP-Daemon-… | release-notes |
| http://www.openwall.com/lists/oss-security/2026/05/27/5 | |
| https://lists.debian.org/debian-lts-announce/2026… | |
| https://access.redhat.com/security/cve/CVE-2026-8450 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2481773 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:36189 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:36188 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:36187 | vendor-advisoryx_refsource_REDHAT |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| OALDERS | HTTP::Daemon |
Affected:
0 , < 6.17
(custom)
|
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux CRB (v. 8) |
cpe:/a:redhat:enterprise_linux:8::crb |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 9) |
cpe:/a:redhat:enterprise_linux:9::crb |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-22T07:58:11.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/27/5"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00028.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8450",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T15:46:44.248133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:54:59.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CRB (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-27T04:22:26.539Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in HTTP::Daemon, a Perl module used for creating HTTP servers. A remote attacker can exploit this vulnerability by providing specially crafted input to the `send_file()` function, leading to OS command injection. This allows the attacker to execute arbitrary commands on the system with the privileges of the daemon process, potentially resulting in full system compromise or data manipulation."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T12:04:46.594Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-8450"
},
{
"name": "RHBZ#2481773",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481773"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8450.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36189"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36188"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36187"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:36189: Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:36188: Red Hat Enterprise Linux CRB (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:36187: Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-27T05:00:58.395Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-27T04:22:26.539Z",
"value": "Made public."
}
],
"title": "perl-HTTP-Daemon: HTTP::Daemon: Arbitrary code execution via OS command injection in send_file()",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "HTTP-Daemon",
"product": "HTTP::Daemon",
"programFiles": [
"lib/HTTP/Daemon.pm"
],
"programRoutines": [
{
"name": "HTTP::Daemon::ClientConn::send_file"
}
],
"repo": "https://github.com/libwww-perl/HTTP-Daemon",
"vendor": "OALDERS",
"versions": [
{
"lessThan": "6.17",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().\n\nsend_file() opens its string argument with Perl\u0027s 2-arg open(). The 2-arg form interprets magic prefixes: \u0027| cmd\u0027 and \u0027cmd |\u0027 open a pipe to a subprocess, \u0027\u003e path\u0027 and \u0027\u003e\u003e path\u0027 open the path for write or append.\n\nUntrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form (\u0027cmd |\u0027) also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T04:22:26.539Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/libwww-perl/HTTP-Daemon/pull/89"
},
{
"tags": [
"patch"
],
"url": "https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to HTTP-Daemon 6.17 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-12T00:00:00.000Z",
"value": "Issue identified."
},
{
"lang": "en",
"time": "2026-05-19T00:00:00.000Z",
"value": "HTTP-Daemon 6.17 released."
}
],
"title": "HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file()",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-8450",
"datePublished": "2026-05-27T04:22:26.539Z",
"dateReserved": "2026-05-12T21:26:04.212Z",
"dateUpdated": "2026-07-07T12:04:46.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8612 (GCVE-0-2026-8612)
Vulnerability from cvelistv5 – Published: 2026-05-15 01:11 – Updated: 2026-05-15 14:31
VLAI
EPSS
VEX
Title
WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution
Summary
WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution.
With no explicit cache backend, WWW::Mechanize::Cached constructs a default Cache::FileCache under /tmp/FileCache without overriding the backend's documented directory_umask of 000, so the cache root and its subdirectories are created mode 0777 with no sticky bit. Cache entries are named by sha1_hex of the request and read back through Storable::thaw on the next cache hit.
A local attacker with write access to the cache tree can replace a victim's cache entry for a known URL with an arbitrary frozen HTTP::Response blob, causing the victim's next get() of that URL to return attacker controlled response bytes. Because the bytes are passed to Storable::thaw, a victim process that has loaded any class with a side-effectful STORABLE_thaw, DESTROY, or overload hook can be escalated to arbitrary code execution.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OALDERS | WWW::Mechanize::Cached |
Affected:
0 , < 2.00
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-15T05:18:42.682Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/15/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8612",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T14:30:45.332316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T14:31:14.593Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "WWW-Mechanize-Cached",
"product": "WWW::Mechanize::Cached",
"programFiles": [
"lib/WWW/Mechanize/Cached.pm"
],
"programRoutines": [
{
"name": "WWW::Mechanize::Cached::_build_cache"
},
{
"name": "WWW::Mechanize::Cached::_make_request"
}
],
"repo": "https://github.com/libwww-perl/WWW-Mechanize-Cached",
"vendor": "OALDERS",
"versions": [
{
"lessThan": "2.00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution.\n\nWith no explicit cache backend, WWW::Mechanize::Cached constructs a default Cache::FileCache under /tmp/FileCache without overriding the backend\u0027s documented directory_umask of 000, so the cache root and its subdirectories are created mode 0777 with no sticky bit. Cache entries are named by sha1_hex of the request and read back through Storable::thaw on the next cache hit.\n\nA local attacker with write access to the cache tree can replace a victim\u0027s cache entry for a known URL with an arbitrary frozen HTTP::Response blob, causing the victim\u0027s next get() of that URL to return attacker controlled response bytes. Because the bytes are passed to Storable::thaw, a victim process that has loaded any class with a side-effectful STORABLE_thaw, DESTROY, or overload hook can be escalated to arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T01:11:55.018Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/libwww-perl/WWW-Mechanize-Cached/pull/36"
},
{
"tags": [
"patch"
],
"url": "https://github.com/libwww-perl/WWW-Mechanize-Cached/commit/b821647deeedf83490ebc1db91d959d942300ce0.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/OALDERS/WWW-Mechanize-Cached-2.00/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to WWW-Mechanize-Cached 2.00 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-13T00:00:00.000Z",
"value": "Issue reported."
},
{
"lang": "en",
"time": "2026-05-14T00:00:00.000Z",
"value": "WWW-Mechanize-Cached 2.00 released with fix."
}
],
"title": "WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-8612",
"datePublished": "2026-05-15T01:11:55.018Z",
"dateReserved": "2026-05-14T16:30:23.954Z",
"dateUpdated": "2026-05-15T14:31:14.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8368 (GCVE-0-2026-8368)
Vulnerability from cvelistv5 – Published: 2026-05-12 14:01 – Updated: 2026-05-19 17:16
VLAI
EPSS
VEX
Title
LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects
Summary
LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects.
On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes.
A redirect to an attacker controlled host therefore discloses the caller's credentials to that host.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
5 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OALDERS | LWP::UserAgent |
Affected:
0 , < 6.83
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-12T17:41:03.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/12/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8368",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T14:30:39.897128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T17:16:03.676Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "libwww-perl",
"product": "LWP::UserAgent",
"programFiles": [
"lib/LWP/UserAgent.pm"
],
"programRoutines": [
{
"name": "LWP::UserAgent::request"
}
],
"repo": "https://github.com/libwww-perl/libwww-perl",
"vendor": "OALDERS",
"versions": [
{
"lessThan": "6.83",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kai Aizen"
}
],
"descriptions": [
{
"lang": "en",
"value": "LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects.\n\nOn a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes.\n\nA redirect to an attacker controlled host therefore discloses the caller\u0027s credentials to that host."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T14:01:25.365Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/libwww-perl/libwww-perl/commit/9c4aeb6f2dd32f2b7eaf2d7827cade31ea6cb2c6.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/OALDERS/libwww-perl-6.83/changes"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/libwww-perl/libwww-perl/pull/512"
},
{
"tags": [
"related"
],
"url": "https://github.com/libwww-perl/libwww-perl/pull/284"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to libwww-perl 6.83 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-11T00:00:00.000Z",
"value": "Issue reported."
},
{
"lang": "en",
"time": "2026-05-12T00:00:00.000Z",
"value": "libwww-perl 6.83 released with fix."
}
],
"title": "LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-8368",
"datePublished": "2026-05-12T14:01:25.365Z",
"dateReserved": "2026-05-11T21:33:14.480Z",
"dateUpdated": "2026-05-19T17:16:03.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}