CVE-2026-15392: DBD::File versions before 1.651 for Perl do not ensure the table file is not a symlink to an untrusted location Robert Rothenberg 14 Jul 2026 15:39 UTC

========================================================================
CVE-2026-15392                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-15392
   Distribution:  DBI
       Versions:  before 1.651

       MetaCPAN:  https://metacpan.org/dist/DBI
       VCS Repo:  https://github.com/perl5-dbi/dbi

DBD::File versions before 1.651 for Perl do not ensure the table file
is not a symlink to an untrusted location

Description
-----------
DBD::File versions before 1.651 for Perl do not ensure the table file
is not a symlink to an untrusted location.

The complete_table_name method builds the absolute table file path
without checking whether the file is a symbolic link. A link inside the
data directory can point to a table file at any path outside of the
configured f_dir and f_dir_search directories.

Callers of file-based drivers can read or write files outside of the
data directory.

Problem types
-------------
- CWE-22 Improper Limitation of a Pathname to a Restricted Directory
   ('Path Traversal')
- CWE-59 Improper Link Resolution Before File Access ('Link Following')

Solutions
---------
Upgrade to version 1.651 or later.

References
----------
https://github.com/perl5-dbi/dbi/security/advisories/GHSA-mh3j-xwf4-jrqw
https://metacpan.org/release/HMBRAND/DBI-1.651/changes
https://github.com/perl5-dbi/dbi/commit/96d62dfe4528bf56fe13f413ed323d4252531728.patch