CVE-2026-8500: Web::Passwd versions through 0.03 for Perl is vulnerable to RCE

CVE-2026-8500: Web::Passwd versions through 0.03 for Perl is vulnerable to RCE Robert Rothenberg 13 May 2026 22:26 UTC

========================================================================
CVE-2026-8500                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-8500
   Distribution:  Web-Passwd
       Versions:  through 0.03

       MetaCPAN:  https://metacpan.org/dist/Web-Passwd

Web::Passwd versions through 0.03 for Perl is vulnerable to RCE

Description
-----------
Web::Passwd versions through 0.03 for Perl is vulnerable to RCE.

Web::Passwd is a small CGI application for managing htpasswd files
using the htpasswd command.

The user parameter is not validated or escaped, and is used as the last
argument on the command line, allowing for command injection.

Problem types
-------------
- CWE-78 Improper Neutralization of Special Elements used in an OS
   Command

Solutions
---------
This application has not been updated since 2007 and appears to have
been abandoned. Use other solutions.

References
----------
https://metacpan.org/release/EVANK/Web-Passwd-0.03
https://httpd.apache.org/docs/current/programs/htpasswd.html

Timeline
--------
- 2007-02-08: Web::Passwd 0.03 was released