CVE-2026-49145
Deferred Deferred - Pending Action

Path Traversal in App::Ack via .ackrc --files-from

Vulnerability report for CVE-2026-49145, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: CPANSec

Description

App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include --files-from, so a project .ackrc can set it to a path whose listed files ack then reads and searches. Version 3.10.0 added --follow to the blocklist; --files-from remains accepted. A project .ackrc committed to an untrusted repository can make ack read files outside the project and print their matching lines.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in App::Ack versions through 3.10.0 for Perl, where the program reads arbitrary files via the --files-from option in a project .ackrc configuration file.

Ack searches up the directory hierarchy from the current directory for a project .ackrc file and loads its options. However, the project-source option blocklist in App::Ack::ConfigLoader does not include the --files-from option, allowing a project .ackrc file to specify a path whose listed files ack then reads and searches.

Although version 3.10.0 added --follow to the blocklist, --files-from remains accepted, meaning a project .ackrc committed to an untrusted repository can cause ack to read files outside the project and print their matching lines.

Impact Analysis

This vulnerability can allow an attacker to cause ack to read and output contents of arbitrary files outside the intended project scope.

If a project .ackrc file is committed to an untrusted repository with a malicious --files-from setting, ack may disclose sensitive or confidential information by reading files that should not be accessed.

Mitigation Strategies

To mitigate this vulnerability, avoid using App::Ack versions through 3.10.0 that accept the --files-from option in a project .ackrc file.

Specifically, ensure that project .ackrc files from untrusted repositories are not used, as they can cause ack to read arbitrary files outside the project.

Consider upgrading to a version of App::Ack that blocks the --files-from option or applying patches that add this option to the blocklist.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49145. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart