Skip to content

Commit 02fa488

Browse files
1 parent f900485 commit 02fa488

2 files changed

Lines changed: 70 additions & 0 deletions

File tree

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2g88-7qc8-9vxv",
4+
"modified": "2026-06-14T12:30:26Z",
5+
"published": "2026-06-14T12:30:26Z",
6+
"aliases": [
7+
"CVE-2026-11527"
8+
],
9+
"details": "Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle.\n\nConfig::IniFiles::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe (\"| cmd\", \"cmd |\") or begins with a redirect (\"> path\", \">> path\") is run as a command or redirect rather than opened as a file. The helper is the open path behind the documented -file argument: new(-file => $thing) reaches it through ReadConfig. An in-memory scalar reference (-file => \\$text) does not open a path and is unaffected.\n\nAny caller that forwards untrusted input to the -file argument can run an arbitrary command or truncate a file under the process UID.",
10+
"severity": [],
11+
"affected": [],
12+
"references": [
13+
{
14+
"type": "ADVISORY",
15+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11527"
16+
},
17+
{
18+
"type": "WEB",
19+
"url": "https://github.com/shlomif/perl-Config-IniFiles/commit/3e48f9627fbba4dae5de35be1f735cdeb7e47fb8.patch"
20+
},
21+
{
22+
"type": "WEB",
23+
"url": "https://metacpan.org/release/SHLOMIF/Config-IniFiles-3.001000/changes"
24+
}
25+
],
26+
"database_specific": {
27+
"cwe_ids": [
28+
"CWE-73"
29+
],
30+
"severity": null,
31+
"github_reviewed": false,
32+
"github_reviewed_at": null,
33+
"nvd_published_at": "2026-06-14T12:16:23Z"
34+
}
35+
}
Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-hx22-9fx3-xg77",
4+
"modified": "2026-06-14T12:30:26Z",
5+
"published": "2026-06-14T12:30:26Z",
6+
"aliases": [
7+
"CVE-2026-11526"
8+
],
9+
"details": "GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle.\n\nGD::Image::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe (\"| cmd\", \"cmd |\") or begins with a redirect (\"> path\", \">> path\") is run as a command or redirect rather than opened as a file. _make_filehandle is the single open path behind every filename-accepting constructor (new, newFromPng, newFromJpeg, and the rest); the in-memory *Data variants do not open a path and are unaffected.\n\nAny caller that forwards untrusted input to one of these constructors as a pathname can run an arbitrary command or truncate a file under the process UID.",
10+
"severity": [],
11+
"affected": [],
12+
"references": [
13+
{
14+
"type": "ADVISORY",
15+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11526"
16+
},
17+
{
18+
"type": "WEB",
19+
"url": "https://github.com/lstein/Perl-GD/commit/67b163713c6c78dfeb693da0978ae934e5cd8210.patch"
20+
},
21+
{
22+
"type": "WEB",
23+
"url": "https://metacpan.org/release/RURBAN/GD-2.86/changes"
24+
}
25+
],
26+
"database_specific": {
27+
"cwe_ids": [
28+
"CWE-73"
29+
],
30+
"severity": null,
31+
"github_reviewed": false,
32+
"github_reviewed_at": null,
33+
"nvd_published_at": "2026-06-14T12:16:22Z"
34+
}
35+
}

0 commit comments

Comments
 (0)