top of page
perceptive_background_267k.jpg

HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().

send_file() opens its string argument with Perl's 2-arg open(). The 2-ar…

Published:

26 May 2026 at 22:00:00

Alert date:

27 May 2026 at 20:13:41

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies

HTTP::Daemon versions before 6.17 for Perl contain an OS command injection vulnerability in the send_file() function. The vulnerability occurs because send_file() uses Perl's 2-arg open() which interprets magic prefixes that can open pipes to subprocesses or create/modify files. Attackers can exploit this by passing untrusted input to send_file() to execute OS commands with daemon process privileges, leak subprocess output into HTTP responses, or manipulate files at chosen paths. The issue affects all versions prior to 6.17 and has been patched in the latest release.

Technical details

Mitigation steps:

Affected products:

HTTP::Daemon

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-8450
https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch
https://github.com/libwww-perl/HTTP-Daemon/pull/89
https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes
http://www.openwall.com/lists/oss-security/2026/05/27/5

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page