CVE-2026-48962
Arbitrary Code Execution in IO::Compress Perl Module
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in IO::Compress versions before 2.220 for Perl. It allows an attacker to execute arbitrary code through the File::GlobMapper module by controlling the output glob string.
The function _parseOutputGlob() wraps the user-supplied output glob string in double quotes and stores it. Later, _getFiles() evaluates this stored string using Perl's eval function. If the output glob contains a literal double quote, it breaks out of the quoted context, allowing the attacker to inject and execute arbitrary Perl code.
This arbitrary Perl code runs with the same privileges as the calling process, potentially leading to serious security risks.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution within the context of the affected application, which means an attacker can run any Perl code they choose with the same privileges as the application.
Potential impacts include unauthorized access, data manipulation, system compromise, and the ability to perform malicious actions such as installing malware or stealing sensitive information.