Thread Index - June 2026 - CPANSec CVE announcements

CVE-2026-9334: Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled Paul Johnson (03 Jun 2026 00:32 UTC)
CVE-2026-9516: Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws Paul Johnson (03 Jun 2026 00:34 UTC)
CVE-2026-8722: Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections Robert Rothenberg (03 Jun 2026 23:48 UTC)
CVE-2026-8829: HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities Paul Johnson (04 Jun 2026 02:09 UTC)
CVE-2026-46739: Net::Statsd versions before 0.13 for Perl allow metric injections Robert Rothenberg (04 Jun 2026 15:47 UTC)
CVE-2026-46741: Etsy::StatsD versions through 1.002002 for Perl allow metric injections Robert Rothenberg (04 Jun 2026 15:55 UTC)
CVE-2026-49940: Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks Robert Rothenberg (04 Jun 2026 16:09 UTC)
CVE-2026-49941: Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses Robert Rothenberg (04 Jun 2026 16:10 UTC)
CVE-2026-49942: Net::CIDR::Set versions through 0.20 for Perl did not validate network masks Robert Rothenberg (04 Jun 2026 16:11 UTC)
CVE-2026-10879: DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders Robert Rothenberg (05 Jun 2026 14:34 UTC)
CVE-2026-9270: DataDog::DogStatsd versions through 0.07 for Perl allow metric injections Robert Rothenberg (05 Jun 2026 14:44 UTC)
CVE-2026-11362: DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags Robert Rothenberg (05 Jun 2026 14:46 UTC)
CVE-2026-10725: Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb Robert Rothenberg (06 Jun 2026 09:16 UTC)
CVE-2026-9698: DBI versions before 1.648 for Perl saved errors in a limited-sized buffer Robert Rothenberg (09 Jun 2026 07:26 UTC)
CVE-2009-10007: Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks Robert Rothenberg (09 Jun 2026 07:41 UTC)
CVE-2026-50639: Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections Robert Rothenberg (10 Jun 2026 18:34 UTC)
CVE-2026-50638: Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections Robert Rothenberg (10 Jun 2026 18:35 UTC)
CVE-2026-50637: Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections Robert Rothenberg (10 Jun 2026 18:36 UTC)
CVE-2017-20240: Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks Robert Rothenberg (12 Jun 2026 13:23 UTC)
CVE-2026-9638: Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts Robert Rothenberg (12 Jun 2026 14:43 UTC)
CVE-2026-9641: Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations Robert Rothenberg (12 Jun 2026 15:01 UTC)
CVE-2026-11526: GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle Paul Johnson (14 Jun 2026 20:24 UTC)
CVE-2026-11527: Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle Paul Johnson (14 Jun 2026 20:28 UTC)
CVE-2026-12205: Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery Timothy Legge (15 Jun 2026 13:01 UTC)
CVE-2026-12087: Socket versions before 2.041 for Perl have an out-of-bounds heap read Robert Rothenberg (15 Jun 2026 21:12 UTC)
CVE-2026-11832: Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce Robert Rothenberg (15 Jun 2026 21:22 UTC)