top of page
perceptive_background_267k.jpg

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob.

_parseOutputGlob() wraps the…

Published:

26 mei 2026 om 22:00:00

Alert date:

27 mei 2026 om 20:13:41

Source:

nvd.nist.gov

Click to open the original link from this advisory

Supply Chain & Dependencies, Web Technologies

CVE-2026-48962 affects IO::Compress versions before 2.220 for Perl, allowing arbitrary code execution through File::GlobMapper via attacker-controlled output glob. The vulnerability occurs when _parseOutputGlob() wraps caller-supplied output glob strings in double quotes and stores them in parser state. The _getFiles() function then executes the stored expression through eval STRING. An attacker can inject a literal double quote in the output glob to close the wrapper and execute arbitrary Perl code. The malicious code executes with the privileges of the calling process, making this a critical security issue.

Technical details

Mitigation steps:

Affected products:

IO::Compress
Perl

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-48962
https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch
https://metacpan.org/release/PMQS/IO-Compress-2.220/changes
http://www.openwall.com/lists/oss-security/2026/05/27/4

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page