CVE-2026-3257: UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library

CVE-2026-3257: UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library Timothy Legge 05 Mar 2026 01:36 UTC

========================================================================
CVE-2026-3257                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-3257
   Distribution:  UnQLite
       Versions:  through 0.06

       MetaCPAN:  https://metacpan.org/dist/UnQLite
       VCS Repo:  https://github.com/tokuhirom/UnQLite

UnQLite versions through 0.06 for Perl uses a potentially insecure
version of the UnQLite library

Description
-----------
UnQLite versions through 0.06 for Perl uses a potentially insecure
version of the UnQLite library.

UnQLite for Perl embeds the UnQLite library.  Version 0.06 and earlier
of the Perl module uses a version of the library from 2014 that may be
vulnerable to a heap-based overflow.

Problem types
-------------
- CWE-1395 Dependency on Vulnerable Third-Party Component

Workarounds
-----------
Upgrade to UnQLite for Perl version 0.07 or later.

Solutions
---------
UnQLite for Perl has been deprecated since version 0.06. Migrate to a
different solution.

References
----------
https://metacpan.org/release/TOKUHIROM/UnQLite-0.07/source/Changes
https://www.cve.org/CVERecord?id=CVE-2025-3791
https://unqlite.symisc.net/