Thread Index - May 2026 - CPANSec CVE announcements

CVE-2026-40561: Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence Timothy Legge (03 May 2026 00:58 UTC)
CVE-2026-5081: Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure Robert Rothenberg (06 May 2026 12:19 UTC)
CVE-2026-40562: Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence Robert Rothenberg (06 May 2026 12:38 UTC)
CVE-2013-10075: Apache::Session versions through 1.94 for Perl re-creates deleted sessions Robert Rothenberg (08 May 2026 07:46 UTC)
CVE-2026-6659: Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts Robert Rothenberg (08 May 2026 17:23 UTC)
CVE-2026-45179: Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses Robert Rothenberg (10 May 2026 19:34 UTC)
CVE-2026-45180: Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids Robert Rothenberg (10 May 2026 20:08 UTC)
CVE-2026-45190: Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass Stig Palmquist (10 May 2026 20:24 UTC)
CVE-2026-45191: Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass Stig Palmquist (10 May 2026 20:25 UTC)
CVE-2026-8177: XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences Stig Palmquist (10 May 2026 20:55 UTC)
Re: [cpansec-cve-announce] CVE-2026-8177: XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences Stig Palmquist (11 May 2026 07:33 UTC)
CVE-2026-5084: WebDyne::Session versions through 2.075 for Perl generates the session id insecurely Stig Palmquist (11 May 2026 07:25 UTC)
CVE-2022-4988: Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries Robert Rothenberg (11 May 2026 19:07 UTC)
CVE-2026-6146: Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys Robert Rothenberg (11 May 2026 19:14 UTC)
CVE-2026-7010: HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values Stig Palmquist (11 May 2026 21:18 UTC)
CVE-2026-8368: LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects Stig Palmquist (12 May 2026 14:07 UTC)
CVE-2026-5089: YAML::Syck versions before 1.38 for Perl has an out-of-bounds read Robert Rothenberg (12 May 2026 16:59 UTC)
CVE-2026-8463: Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input Stig Palmquist (13 May 2026 12:43 UTC)
CVE-2026-8500: Web::Passwd versions through 0.03 for Perl is vulnerable to RCE Robert Rothenberg (13 May 2026 22:26 UTC)
CVE-2026-8612: WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution Stig Palmquist (15 May 2026 01:16 UTC)
CVE-2026-8454: Imager::File::GIF versions through 1.002 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files Timothy Legge (15 May 2026 11:00 UTC)
CVE-2026-8503: Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids Robert Rothenberg (15 May 2026 11:14 UTC)
CVE-2026-8669: Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files Timothy Legge (15 May 2026 13:39 UTC)
CVE-2026-46474: Trog::TOTP versions before 1.006 for Perl generate secrets using rand Robert Rothenberg (15 May 2026 17:43 UTC)
CVE-2026-8700: Crypt::DSA versions before 1.20 for Perl generate seeds using rand Timothy Legge (15 May 2026 22:12 UTC)
CVE-2026-8704: Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified Timothy Legge (15 May 2026 22:21 UTC)
CVE-2026-46719: Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections Robert Rothenberg (16 May 2026 13:39 UTC)
CVE-2026-46720: Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections Robert Rothenberg (17 May 2026 17:55 UTC)
CVE-2026-8507: Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out of bound (OOB) write flaws Timothy Legge (17 May 2026 18:44 UTC)
CVE-2026-8721: Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs Timothy Legge (17 May 2026 18:50 UTC)
CVE-2026-8788: Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections Robert Rothenberg (18 May 2026 06:41 UTC)
CVE-2026-5090: Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected Robert Rothenberg (19 May 2026 21:32 UTC)
CVE-2026-47373: Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks Robert Rothenberg (20 May 2026 20:27 UTC)
CVE-2026-47372: Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts Robert Rothenberg (20 May 2026 22:09 UTC)
CVE-2026-46473: Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand Robert Rothenberg (21 May 2026 18:55 UTC)
CVE-2026-5091: Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks Robert Rothenberg (21 May 2026 21:08 UTC)
CVE-2026-8376: Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds Timothy Legge (25 May 2026 23:55 UTC)
CVE-2026-42496: Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory Stig Palmquist (26 May 2026 00:22 UTC)
CVE-2026-42497: Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory Stig Palmquist (26 May 2026 00:25 UTC)
CVE-2026-9538: Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header Stig Palmquist (26 May 2026 00:28 UTC)
CVE-2026-46740: Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections Robert Rothenberg (26 May 2026 22:49 UTC)
CVE-2026-8647: Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available Robert Rothenberg (26 May 2026 22:55 UTC)
CVE-2025-15649: IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date Stig Palmquist (27 May 2026 02:27 UTC)
CVE-2026-48959: IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward Stig Palmquist (27 May 2026 02:32 UTC)
CVE-2026-48961: IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID Stig Palmquist (27 May 2026 02:52 UTC)
CVE-2026-48962: IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob Stig Palmquist (27 May 2026 03:16 UTC)
CVE-2026-8450: HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file() Stig Palmquist (27 May 2026 04:26 UTC)
CVE-2026-9658: Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths Robert Rothenberg (28 May 2026 11:39 UTC)
CVE-2026-41565: CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers Stig Palmquist (28 May 2026 14:16 UTC)
CVE-2026-8594: Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters Robert Rothenberg (30 May 2026 15:36 UTC)
CVE-2026-8796: Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input Paul Johnson (31 May 2026 19:50 UTC)