CVE-2026-14380
Received Received - Intake

Code Injection in Perl DBI via Profile Attribute

Vulnerability report for CVE-2026-14380, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-08

Assigner: CPANSec

Description

DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name. Any caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands. The Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=>SPEC):db. An attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
perl dbi to 1.650 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects DBI versions before 1.650 for Perl and involves code injection via the caller-influenced Profile attribute.

When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package, and arguments, then interpolates the package part in a string eval without validating the package name.

If an attacker can control any value that reaches the Profile attribute, they can execute arbitrary Perl code, including running system commands.

The Profile attribute can be set from three sources that may carry untrusted data: the DBI_PROFILE environment variable, direct attribute assignment, and a DSN driver-attribute clause.

An attacker controlling any of these inputs can run arbitrary Perl code in the host process, with the strongest remote attack vector being a network-exposed DBI::Gofer or DBI::ProxyServer where the DSN reaches the Profile attribute.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary Perl code on the host process, which can include running system commands.

If exploited, it can lead to full compromise of the affected system, unauthorized access, data manipulation, or disruption of services.

The strongest impact occurs when the vulnerable DBI is used in network-exposed components like DBI::Gofer or DBI::ProxyServer, allowing remote attackers to execute code on the broker host.

Mitigation Strategies

To mitigate this vulnerability, upgrade DBI to version 1.650 or later, where the issue has been fixed.

The fix involves replacing the unsafe string eval used to load the Profile package with a safer method using Module::Load, which prevents arbitrary code execution.

Additionally, avoid using untrusted input to set the Profile attribute via the DBI_PROFILE environment variable, direct attribute assignment, or DSN driver-attribute clauses.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14380. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart