CVE-2026-48962
Deferred Deferred - Pending Action

Arbitrary Code Execution in IO::Compress Perl Module

Vulnerability report for CVE-2026-48962, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-27

Last updated on: 2026-06-30

Assigner: CPANSec

Description

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-27
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-05-27
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
io_compress io_compress to 2.220 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate the vulnerability in IO::Compress versions before 2.220, you should upgrade IO::Compress to version 2.220 or later.

Executive Summary

This vulnerability exists in IO::Compress versions before 2.220 for Perl. It allows an attacker to execute arbitrary code through the File::GlobMapper module by controlling the output glob string.

The function _parseOutputGlob() wraps the user-supplied output glob string in double quotes and stores it. Later, _getFiles() evaluates this stored string using Perl's eval function. If the output glob contains a literal double quote, it breaks out of the quoted context, allowing the attacker to inject and execute arbitrary Perl code.

This arbitrary Perl code runs with the same privileges as the calling process, potentially leading to serious security risks.

Impact Analysis

This vulnerability can lead to arbitrary code execution within the context of the affected application, which means an attacker can run any Perl code they choose with the same privileges as the application.

Potential impacts include unauthorized access, data manipulation, system compromise, and the ability to perform malicious actions such as installing malware or stealing sensitive information.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the execution of arbitrary Perl code via an attacker-controlled output glob in IO::Compress versions before 2.220. Detection would involve identifying usage of vulnerable IO::Compress versions and monitoring for suspicious eval executions triggered by crafted output glob strings.

To detect if your system is vulnerable, first check the installed version of IO::Compress in your Perl environment. You can do this by running the following command in a terminal or Perl environment:

  • perl -MIO::Compress -e 'print $IO::Compress::VERSION, "\n"'

If the version is earlier than 2.220, your system is vulnerable and should be updated.

Additionally, to detect exploitation attempts, monitor logs or runtime behavior for eval executions involving output glob strings containing double quotes, which could indicate attempts to inject Perl code.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48962. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart