CVE-2026-57073
Deferred Deferred - Pending Action

Out-of-Bounds Read in HTML::Bare Perl Module

Vulnerability report for CVE-2026-57073, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: CPANSec

Description

HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read. Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a heap-based buffer overflow in the HTML::Bare Perl module's C parser. It occurs when parsing untrusted HTML markup, where the parser advances its position in the buffer without checking boundaries, leading to out-of-bounds reads. The issue is triggered by truncated inputs like `<![CDATA\0` or `<p/\0`, causing the parser to read past allocated memory.

Detection Guidance

This vulnerability is specific to the HTML::Bare Perl module and requires checking for its presence and version. Use commands like 'cpan -D HTML::Bare' or 'perl -MHTML::Bare -e "print $HTML::Bare::VERSION"' to detect installed versions. If vulnerable versions (0.02 or 0.04) are found, apply the patch from the provided resources.

No direct network detection commands are applicable as this is a library-level issue. Focus on auditing Perl applications using HTML::Bare.

Impact Analysis

An attacker could exploit this to read sensitive memory, crash the application, or potentially execute arbitrary code. It affects applications using HTML::Bare to parse untrusted HTML input, especially if the input is malformed or truncated.

Compliance Impact

This vulnerability does not directly affect compliance with GDPR, HIPAA, or similar standards. It is a technical flaw in the HTML::Bare Perl module that could lead to out-of-bounds memory reads when parsing untrusted HTML input. Compliance impacts would only occur if this flaw were exploited to access or manipulate sensitive data during processing, which is not described in the provided context.

Mitigation Strategies

Immediately update HTML::Bare to a patched version or apply the provided patches from resources 1, 2, or 3. Remove or replace any usage of the vulnerable parserc_parse function with the fixed version. Audit all Perl applications using HTML::Bare for potential exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57073. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart