CVE-2026-11526
Received Received - Intake
GD Perl Command Injection and File Overwrite

Publication date: 2026-06-14

Last updated on: 2026-06-14

Assigner: CPANSec

Description
GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle. GD::Image::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. _make_filehandle is the single open path behind every filename-accepting constructor (new, newFromPng, newFromJpeg, and the rest); the in-memory *Data variants do not open a path and are unaffected. Any caller that forwards untrusted input to one of these constructors as a pathname can run an arbitrary command or truncate a file under the process UID.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-14
Last Modified
2026-06-14
Generated
2026-06-14
AI Q&A
2026-06-14
EPSS Evaluated
N/A
NVD
CVE-2026-11526
EUVD
EUVD-2026-36659
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11526 is a command injection vulnerability in the GD library's Perl module, specifically in the _make_filehandle function.

The vulnerability arises because the function uses Perl's two-argument open() call to open filenames. If a filename begins or ends with special shell characters like a pipe ("| cmd", "cmd |") or a redirect ("> path", ">> path"), it is interpreted as a command or redirection rather than a literal filename.

This means that any untrusted input passed as a filename to GD::Image constructors (such as new, newFromPng, newFromJpeg) can lead to arbitrary OS command execution or file overwrite under the process's user ID.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary operating system commands or overwrite files on the system where the vulnerable GD Perl module is used.

If an application forwards untrusted input as a filename to GD::Image constructors, an attacker could exploit this to run malicious commands or truncate files with the same privileges as the process running the Perl code.

Such impacts could lead to unauthorized system access, data loss, or compromise of the host environment.

Detection Guidance

This vulnerability involves the GD Perl module's _make_filehandle function interpreting certain filename arguments as commands or redirections, leading to OS command injection or file overwrite.

To detect exploitation attempts or presence of this vulnerability on your system, you can:

  • Check for usage of GD Perl module versions before 2.86.
  • Audit logs or application inputs for filenames starting or ending with pipe characters ("| cmd", "cmd |") or starting with redirection characters ("> path", ">> path").
  • Use commands to search for suspicious patterns in your codebase or logs, for example:
  • grep -rE '\|.*|^\||^>.*|^>>.*' /path/to/your/perl/scripts
  • Review running processes or command histories for unexpected commands triggered by such filenames.

Since the vulnerability is in the way filenames are opened, monitoring for unexpected file truncations or command executions related to GD::Image constructors may also help.

Mitigation Strategies

The primary mitigation is to upgrade the GD Perl module to version 2.86 or later, where the vulnerability is fixed by replacing the two-argument open() call with a safer three-argument open() that treats filenames literally.

If upgrading immediately is not possible, ensure that any input passed to GD::Image constructors is strictly validated and sanitized to prevent untrusted input containing shell metacharacters like pipes or redirection symbols.

Avoid forwarding untrusted or user-controlled input as filenames to GD::Image constructors.

Review and apply the patch available at the provided resource URL to fix the vulnerability in your current version.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11526. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart