CVE-2026-48962

_parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl.

Arbitrary Perl in the output glob executes at the calling process's privilege.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48962.json",
    "cwe_ids": [
        "CWE-95"
    ],
    "cna_assigner": "CPANSec"
}

References

Affected packages

Git / github.com/pmqs/io-compress

Affected ranges

Type: GIT
Repo: https://github.com/pmqs/io-compress
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f1979570091697409f4792e5d401bbf8fb4b20b6

Affected versions

Other

v2-205

v2.*

v2.000_00

v2.000_02

v2.000_03

v2.000_04

v2.000_05

v2.000_06

v2.000_07

v2.000_09

v2.000_10

v2.000_11

v2.000_12

v2.000_13

v2.000_14

v2.001

v2.002

v2.003

v2.004

v2.005

v2.006

v2.007

v2.008

v2.010

v2.011

v2.012

v2.014

v2.015

v2.017

v2.018

v2.019

v2.020

v2.021

v2.022

v2.023

v2.024

v2.025

v2.026

v2.027

v2.030

v2.032

v2.033

v2.034

v2.035

v2.036

v2.037

v2.039

v2.040

v2.042

v2.043

v2.044

v2.045

v2.046

v2.047

v2.048

v2.049

v2.052

v2.055

v2.057

v2.058

v2.059

v2.060

v2.061

v2.062

v2.063

v2.064

v2.066

v2.067

v2.068

v2.069

v2.070

v2.072

v2.073

v2.074

v2.080

v2.081

v2.082

v2.083

v2.084

v2.086

v2.087

v2.088

v2.089

v2.090

v2.091

v2.092

v2.093

v2.095

v2.096

v2.100

v2.101

v2.102

v2.103

v2.105

v2.106

v2.201

v2.204

v2.206

v2.207

v2.208

v2.211

v2.212

v2.213

v2.214

v2.215

v2.216

v2.217

v2.218

v2.219

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-48962.json"