CVE-2026-49147
Deferred Deferred - Pending Action

Terminal Escape Sequence Handling Flaw in App::Ack

Vulnerability report for CVE-2026-49147, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: CPANSec

Description

App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes. When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename. A file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ack ack to 3.10.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in App::Ack versions through 3.10.0 for Perl, where the software prints unsanitised terminal escape sequences from filenames in several output modes.

When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes are sent to the terminal unchanged.

Although version 3.10.0 added a helper to sanitise filenames printed by some options (-f, -g, colored match heading, and per-match lines), other output paths like --show-types, -l/-L, and -c still output the raw filename.

This means a file with a name embedding cursor-movement or color escape sequences can overwrite or recolor earlier terminal output or be passed unchanged to downstream consumers.

Impact Analysis

This vulnerability can impact you by allowing specially crafted filenames containing terminal control sequences to manipulate terminal output.

Such filenames can overwrite or recolor previous terminal output, potentially misleading users or hiding information.

Additionally, these unsanitised sequences can be passed unchanged to downstream consumers, which might cause unexpected behavior or security issues in other tools processing the output.

Mitigation Strategies

To mitigate this vulnerability, avoid using ack versions through 3.10.0 to print filenames that may contain terminal control bytes such as ANSI escape sequences.

Specifically, be cautious when using the --show-types, -l/-L, and -c options, as these still emit raw filenames without sanitization.

Consider upgrading to a version later than 3.10.0 where the _safe_filename helper sanitizes filenames in most output modes.

As a temporary measure, avoid processing or displaying filenames that may contain terminal control sequences to prevent potential terminal output manipulation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49147. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart