CVE-2026-48962
Received Received - Intake
Arbitrary Code Execution in IO::Compress Perl Module

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: CPANSec

Description
IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-48962
EUVD
EUVD-2026-32048
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
io_compress io_compress to 2.220 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate the vulnerability in IO::Compress versions before 2.220, you should upgrade IO::Compress to version 2.220 or later.

Executive Summary

This vulnerability exists in IO::Compress versions before 2.220 for Perl. It allows an attacker to execute arbitrary code through the File::GlobMapper module by controlling the output glob string.

The function _parseOutputGlob() wraps the user-supplied output glob string in double quotes and stores it. Later, _getFiles() evaluates this stored string using Perl's eval function. If the output glob contains a literal double quote, it breaks out of the quoted context, allowing the attacker to inject and execute arbitrary Perl code.

This arbitrary Perl code runs with the same privileges as the calling process, potentially leading to serious security risks.

Impact Analysis

This vulnerability can lead to arbitrary code execution within the context of the affected application, which means an attacker can run any Perl code they choose with the same privileges as the application.

Potential impacts include unauthorized access, data manipulation, system compromise, and the ability to perform malicious actions such as installing malware or stealing sensitive information.

Detection Guidance

This vulnerability involves the execution of arbitrary Perl code via an attacker-controlled output glob in IO::Compress versions before 2.220. Detection would involve identifying usage of vulnerable IO::Compress versions and monitoring for suspicious eval executions triggered by crafted output glob strings.

To detect if your system is vulnerable, first check the installed version of IO::Compress in your Perl environment. You can do this by running the following command in a terminal or Perl environment:

  • perl -MIO::Compress -e 'print $IO::Compress::VERSION, "\n"'

If the version is earlier than 2.220, your system is vulnerable and should be updated.

Additionally, to detect exploitation attempts, monitor logs or runtime behavior for eval executions involving output glob strings containing double quotes, which could indicate attempts to inject Perl code.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48962. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart