CVE-2026-15392: DBD::File versions before 1.651 for Perl do not ensure the table file is not a symlink to an untrusted location
Robert Rothenberg 14 Jul 2026 15:39 UTC
========================================================================
CVE-2026-15392 CPAN Security Group
========================================================================
CVE ID: CVE-2026-15392
Distribution: DBI
Versions: before 1.651
MetaCPAN: https://metacpan.org/dist/DBI
VCS Repo: https://github.com/perl5-dbi/dbi
DBD::File versions before 1.651 for Perl do not ensure the table file
is not a symlink to an untrusted location
Description
-----------
DBD::File versions before 1.651 for Perl do not ensure the table file
is not a symlink to an untrusted location.
The complete_table_name method builds the absolute table file path
without checking whether the file is a symbolic link. A link inside the
data directory can point to a table file at any path outside of the
configured f_dir and f_dir_search directories.
Callers of file-based drivers can read or write files outside of the
data directory.
Problem types
-------------
- CWE-22 Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal')
- CWE-59 Improper Link Resolution Before File Access ('Link Following')
Solutions
---------
Upgrade to version 1.651 or later.
References
----------
https://github.com/perl5-dbi/dbi/security/advisories/GHSA-mh3j-xwf4-jrqw
https://metacpan.org/release/HMBRAND/DBI-1.651/changes
https://github.com/perl5-dbi/dbi/commit/96d62dfe4528bf56fe13f413ed323d4252531728.patch