CVE-2026-57074
Deferred
Deferred - Pending Action
Out-of-Bounds Read in XML::Bare Perl Module
Vulnerability report for CVE-2026-57074, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-16
Last updated on: 2026-07-16
Assigner: CPANSec
Description
Description
XML::Bare versions through 0.53 for Perl have an unbounded character lookahead.
The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer.
Truncated strings such as "<a/" can trigger an out-of-bounds read.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nanoscopic | xml_bare | to 0.53 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |