Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <CCF0070B-80D4-4508-8434-B01BD6B67320@stig.io>
Date: Wed, 27 May 2026 06:26:19 +0200
From: Stig Palmquist <stig@...g.io>
To: cve-announce@...urity.metacpan.org,
 oss-security@...ts.openwall.com
Subject: CVE-2026-8450: HTTP::Daemon versions before 6.17 for Perl allow OS
 command injection via send_file()

========================================================================
CVE-2026-8450                                        CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-8450
  Distribution:  HTTP-Daemon
      Versions:  before 6.17

      MetaCPAN:  https://metacpan.org/dist/HTTP-Daemon
      VCS Repo:  https://github.com/libwww-perl/HTTP-Daemon


HTTP::Daemon versions before 6.17 for Perl allow OS command injection
via send_file()

Description
-----------
HTTP::Daemon versions before 6.17 for Perl allow OS command injection
via send_file().

send_file() opens its string argument with Perl's 2-arg open(). The
2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe
to a subprocess, '> path' and '>> path' open the path for write or
append.

Untrusted input passed to send_file() can run OS commands at the daemon
process UID. The read-pipe form ('cmd |') also leaks subprocess stdout
into the HTTP response body. The write-mode forms can create or
truncate files at attacker chosen paths.

Problem types
-------------
- CWE-78 Improper Neutralization of Special Elements used in an OS
  Command ('OS Command Injection')
- CWE-73 External Control of File Name or Path

Solutions
---------
Upgrade to HTTP-Daemon 6.17 or later.


References
----------
https://github.com/libwww-perl/HTTP-Daemon/pull/89
https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch
https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes

Timeline
--------
- 2026-05-12: Issue identified.
- 2026-05-19: HTTP-Daemon 6.17 released.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.