Perl

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-8376 1Perl 1Perl May 27, 2026 May 26, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring bu...Show more Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.Show less
CVE-2026-4176 1Perl 1Perl Apr 22, 2026 Mar 29, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-lif...Show more Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.Show less
CVE-2024-56406 1Perl 1Perl Oct 16, 2025 Apr 13, 2025 N/A· v4 8.4 HIGH· v3 N/A· v2 A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the l...Show more A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.Show less
CVE-2023-47039 1Perl 1Perl Nov 21, 2024 Jan 2, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 A vulnerability was found in Perl. This security issue occurs while Perl for Windows relies on the system path environment variable to find the shell (`cmd.exe`). When running an executable that uses the Windows Perl int...Show more A vulnerability was found in Perl. This security issue occurs while Perl for Windows relies on the system path environment variable to find the shell (`cmd.exe`). When running an executable that uses the Windows Perl interpreter, Perl attempts to find and execute `cmd.exe` within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. This flaw allows an attacker with limited privileges to place`cmd.exe` in locations with weak permissions, such as `C:\ProgramData`. By doing so, arbitrary code can be executed when an administrator attempts to use this executable from these compromised locations.Show less
CVE-2023-47038 3Fedoraproject PerlRedhat 5Enterprise Linux Enterprise Linux AusEnterprise Linux Eus+2 more Nov 4, 2025 Dec 18, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.
CVE-2022-48522 1Perl 1Perl Nov 21, 2024 Aug 22, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.
CVE-2023-31486 2Http\ Perl 2\ Perl Jan 30, 2025 Apr 29, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.
CVE-2023-31484 2Cpanpm Project Perl 2Cpanpm Perl Nov 3, 2025 Apr 29, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
CVE-2020-16156 2Fedoraproject Perl 2Comprehensive Perl Archive Network Fedora Nov 3, 2025 Dec 13, 2021 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 CPAN 2.28 allows Signature Verification Bypass.
CVE-2019-20919 5Canonical DebianFedoraproject+2 more 5Dbi Debian LinuxFedora+2 more Nov 21, 2024 Sep 17, 2020 N/A· v4 4.7 MEDIUM· v3 1.9 LOW· v2 An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer der...Show more An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference.Show less
CVE-2014-10402 1Perl 1Dbi Nov 21, 2024 Sep 16, 2020 N/A· v4 6.1 MEDIUM· v3 3.6 LOW· v2 An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue...Show more An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of an incomplete fix for CVE-2014-10401.Show less
CVE-2020-14393 4Debian FedoraprojectOpensuse+1 more 4Database Interface Debian LinuxFedora+1 more Nov 21, 2024 Sep 16, 2020 N/A· v4 7.1 HIGH· v3 3.6 LOW· v2 A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integ...Show more A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.Show less
CVE-2020-14392 5Canonical DebianFedoraproject+2 more 5Database Interface Debian LinuxFedora+2 more Nov 21, 2024 Sep 16, 2020 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability.
CVE-2014-10401 1Perl 1Dbi Nov 21, 2024 Sep 11, 2020 N/A· v4 6.1 MEDIUM· v3 3.6 LOW· v2 An issue was discovered in the DBI module before 1.632 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute.
CVE-2013-7491 1Perl 1Dbi Nov 21, 2024 Sep 11, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in the DBI module before 1.628 for Perl. Stack corruption occurs when a user-defined function requires a non-trivial amount of memory and the Perl stack gets reallocated.
CVE-2013-7490 2Canonical Perl 2Dbi Ubuntu Linux Nov 21, 2024 Sep 11, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in the DBI module before 1.632 for Perl. Using many arguments to methods for Callbacks may lead to memory corruption.
CVE-2020-12723 5Fedoraproject NetappOpensuse+2 more 16Communications Billing And Revenue Management Communications Diameter Signaling RouterCommunications Eagle Application Processor+13 more Nov 21, 2024 Jun 5, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
CVE-2020-10878 5Fedoraproject NetappOpensuse+2 more 17Communications Billing And Revenue Management Communications Diameter Signaling RouterCommunications Eagle Application Processor+14 more Nov 21, 2024 Jun 5, 2020 N/A· v4 8.6 HIGH· v3 7.5 HIGH· v2 Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
CVE-2020-10543 4Fedoraproject OpensuseOracle+1 more 15Communications Billing And Revenue Management Communications Diameter Signaling RouterCommunications Eagle Application Processor+12 more Nov 21, 2024 Jun 5, 2020 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
CVE-2018-18314 5Canonical DebianNetapp+2 more 8Debian Linux E Series Santricity Os ControllerEnterprise Linux+5 more Nov 21, 2024 Dec 7, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

12 3 Next