CVE-2026-13397
Deferred Deferred - Pending Action

HTML::Bare Infinite Loop in Malformed Attributes

Vulnerability report for CVE-2026-13397, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: CPANSec

Description

HTML::Bare versions through 0.04 for Perl will hang in an infinite loop when parsing malformed attributes. The parserc_parse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "<a ='c'>" or unbalanced quotes "<a b='''''''c'>" can trigger this condition. Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nanoscopic html_bare to 0.04 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-13397 is an infinite loop vulnerability in the HTML::Bare Perl module's C parser. It occurs when parsing malformed HTML attributes, causing the parser to hang indefinitely in a specific state without advancing its position. This consumes CPU resources and blocks the Perl interpreter.

Detection Guidance

To detect this vulnerability, monitor for processes consuming excessive CPU resources when processing HTML content. Check for Perl scripts using HTML::Bare module versions through 0.04. Test with malformed HTML inputs like '<a href='b'''''>' to see if the parser hangs.

Impact Analysis

This vulnerability can cause denial-of-service by consuming all available CPU resources on a system processing malformed HTML input. It may hang applications using HTML::Bare, leading to unresponsive services or crashes. The impact is severe because Perl-level signals cannot interrupt the loop.

Compliance Impact

This vulnerability causes an infinite loop in the HTML::Bare parser when processing malformed HTML, leading to indefinite CPU resource consumption. This could disrupt services handling user data, potentially violating availability requirements in GDPR (Article 32) and HIPAA (Security Rule Β§164.312). However, the vulnerability does not directly expose or leak data, so primary compliance risks relate to service disruption rather than data breaches.

Mitigation Strategies

Immediately upgrade HTML::Bare to the latest version from the git repository. If using CPAN, avoid versions through 0.04. Apply the patch from Resource 2 if upgrading is not possible. Monitor CPU usage for hung processes and terminate them if detected.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13397. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart