Cpan Security Advisories | Ecosyste.ms: Advisories

cpan

374 packages · metacpan.org

Security Advisories in cpan

Unspecified security issues. CPANSA-MySQL-Admin-1-1

cpan MySQL-Admin

17 days ago

Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb"). The headers_decode m... CPANSA-Protocol-HTTP2-2026-10725

cpan Protocol-HTTP2

18 days ago

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric name... CPANSA-DataDog-DogStatsd-2026-9270

cpan DataDog-DogStatsd

18 days ago

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The format_event method (used by the event meth... CPANSA-DataDog-DogStatsd-2026-11362

cpan DataDog-DogStatsd

18 days ago

DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder... CPANSA-DBI-2026-10879

cpan DBI

19 days ago

Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to... CPANSA-Net-CIDR-Set-2026-49942

cpan Net-CIDR-Set

19 days ago

HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities. The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the in... CPANSA-HTML-Parser-2026-8829

cpan HTML-Parser

19 days ago

Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and ... CPANSA-Net-CIDR-Set-2026-49941

cpan Net-CIDR-Set

19 days ago

Etsy::StatsD versions through 1.002002 for Perl allow metric injections. The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that the git rep... CPANSA-Etsy-StatsD-2026-46741

cpan Etsy-StatsD

19 days ago

Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks. Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks. CPANSA-Net-CIDR-Set-2026-49940

cpan Net-CIDR-Set

19 days ago

Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. CPANSA-Net-Async-Statsd-2026-8722

cpan Net-Async-Statsd

19 days ago

Net::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. The update_stats (used for updating co... CPANSA-Net-Statsd-2026-46739

cpan Net-Statsd

20 days ago

Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled. decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a ... CPANSA-Cpanel-JSON-XS-2026-9334

cpan Cpanel-JSON-XS

20 days ago

Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws. To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with S... CPANSA-Cpanel-JSON-XS-2026-9516

cpan Cpanel-JSON-XS

23 days ago

Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input. In Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fre... CPANSA--2026-8796

cpan Sereal-Decoder

24 days ago

Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters. Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the... CPANSA-Unicode-LineBreak-2026-8594

cpan Unicode-LineBreak

26 days ago

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for exa... CPANSA-Plack-Middleware-Security-Simple-2026-9658

cpan Plack-Middleware-Security-Simple

26 days ago

CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers. The gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify and eax_decrypt_verify XS routines copied the caller-supplied authe... CPANSA-CryptX-2026-41565

cpan CryptX

27 days ago

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without a... CPANSA-IO-Compress-2025-15649

cpan IO-Compress

27 days ago

HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' ... CPANSA-HTTP-Daemon-2026-8450

cpan HTTP-Daemon

27 days ago

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _get... CPANSA-IO-Compress-2026-48962

cpan IO-Compress

27 days ago

IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag ... CPANSA-IO-Compress-2026-48961

cpan IO-Compress

27 days ago

IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c ... CPANSA-IO-Compress-2026-48959

cpan IO-Compress

28 days ago

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than b... CPANSA-perl-2026-8376

cpan perl

28 days ago

Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Ver... CPANSA-Mojolicious-Plugin-Statsd-2026-46740

cpan Mojolicious-Plugin-Statsd

28 days ago

Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory. _make_special_file() passes the tar header's linkname to link() without validating it against absolute paths or .. segments, cr... CPANSA-Archive-Tar-2026-42497

cpan Archive-Tar

28 days ago

Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segmen... CPANSA-Archive-Tar-2026-42496

cpan Archive-Tar

28 days ago

Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header. _read_tar() reads each entry's payload with $handle->read($$data, $block), where $block is derived from the entry's 12-byte size... CPANSA-Archive-Tar-2026-9538

cpan Archive-Tar

28 days ago

Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available. The random_bytes function fell back to using the built-in rand() function when none of the Perl modules Crypt::PRNG, Crypt::OpenSSL... CPANSA-Crypt-ScryptKDF-2026-8647

cpan Crypt-ScryptKDF

about 1 month ago

Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password. CPANSA-Catalyst-Plugin-Authentication-2026-5091

cpan Catalyst-Plugin-Authentication

about 1 month ago

Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage. CPANSA-Authen-TOTP-2026-46473

cpan Authen-TOTP

about 1 month ago

Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography. CPANSA-Crypt-SaltedHash-2026-47372

cpan Crypt-SaltedHash

about 1 month ago

Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash. CPANSA-Crypt-SaltedHash-2026-47373

cpan Crypt-SaltedHash

about 1 month ago

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "v... CPANSA-Template-Toolkit-2026-5090

cpan Template-Toolkit

about 1 month ago

Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note tha... CPANSA-Net-Statsd-Lite-2026-8788

cpan Net-Statsd-Lite

about 1 month ago

Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. CPANSA-Net-Statsd-Tiny-2026-46720

cpan Net-Statsd-Tiny

about 1 month ago

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out-of-bounds (OOB) write flaws. When parsing a PKCS12 file, with a >= 1 GiB OCTET STRING (or BIT STRING) attribute on a SAFEBAG, via info() or info_as_hash(), a heap out-of-bounds write would... CPANSA-Crypt-OpenSSL-PKCS12-2026-8507

cpan Crypt-OpenSSL-PKCS12

about 1 month ago

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code ... CPANSA-Crypt-OpenSSL-PKCS12-2026-8721

cpan Crypt-OpenSSL-PKCS12

about 1 month ago

Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. CPANSA-Net-Statsd-Lite-2026-46719

cpan Net-Statsd-Lite

about 1 month ago

Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified. CPANSA-Crypt-DSA-2026-8704

cpan Crypt-DSA

about 1 month ago

Imager::File::GIF versions through 1.002 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files. Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer GifRow sized for the GIF's global screen width 'SWidth... CPANSA-Imager-File-GIF-2026-8454

cpan Imager-File-GIF

about 1 month ago

WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution. With no explicit cache backend, WWW::Mechanize::Cached constructs a default... CPANSA-WWW-Mechanize-Cached-2026-8612

cpan WWW-Mechanize-Cached

about 1 month ago

Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids. Apache::Session::Generate::SHA256 generated session ids insecurely. The default session id generator returns a SHA-256 hash of the built-in rand() function,... CPANSA-Apache-Session-Browseable-2026-8503

cpan Apache-Session-Browseable

about 1 month ago

Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files. Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer GifRow sized for the GIF's global screen width 'SWidth' and reuse... CPANSA-Imager-2026-8669

cpan Imager

about 1 month ago

Trog::TOTP versions before 1.006 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage. CPANSA-Trog-TOTP-2026-46474

cpan Trog-TOTP

about 1 month ago

Crypt::DSA versions before 1.20 for Perl generate seeds using rand. Seeds were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage. CPANSA-Crypt-DSA-2026-8700

cpan Crypt-DSA

about 1 month ago

Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input. The auto-detect form of argon2_verify passes encoded_len - 1 as the length argument to memchr without checking that enco... CPANSA-Crypt-Argon2-2026-8463

cpan Crypt-Argon2

about 1 month ago

Web::Passwd versions through 0.03 for Perl is vulnerable to RCE. Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command. The user parameter is not validated or escaped, and is used as the last argument on the co... CPANSA-Web-Passwd-2026-8500

cpan Web-Passwd

about 1 month ago

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Author... CPANSA-libwww-perl-2026-8368

cpan libwww-perl

about 1 month ago

YAML::Syck versions before 1.38 for Perl has an out-of-bounds read. The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separate... CPANSA-YAML-Syck-2026-5089

cpan YAML-Syck

about 1 month ago

Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries. Alien::FreeImage contains version 3.17.0 of the FreeImage library from 2017, which has known vulnerabilities such as CVE-2015-0852 and CVE-2025-65803. The library... CPANSA-Alien-FreeImage-2022-4988

cpan Alien-FreeImage

about 1 month ago

WebDyne::Session versions through 2.075 for Perl generates the session id insecurely. The session handler generates the session id from an MD5 hash seeded with a call to the built-in rand() function. The rand function is passed a maximum value based o... CPANSA-WebDyne-2026-5084

cpan WebDyne-Session

about 1 month ago

Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys. Amazon::Credentials stores credentials in an obfuscated form to prevent access to the secrets from a data dump of the object. Before version 1.3.0, the secrets... CPANSA-Amazon-Credentials-2026-6146

cpan Amazon-Credentials

about 1 month ago

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control ... CPANSA-HTTP-Tiny-2026-7010

cpan HTTP-Tiny

about 1 month ago

Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be l... CPANSA-Plack-Middleware-Statsd-2026-45179

cpan Plack-Middleware-Statsd

about 1 month ago

Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass. Mask forms like "/00" and "/01" pass validation and parse to the same prefix as their unpadded valu... CPANSA-Net-CIDR-Lite-2026-45191

cpan Net-CIDR-Lite

about 1 month ago

Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by ... CPANSA-Net-CIDR-Lite-2026-45190

cpan Net-CIDR-Lite

about 1 month ago

XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end o... CPANSA-XML-LibXML-2026-8177

cpan XML-LibXML

about 1 month ago

Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked.... CPANSA-Catalyst-Plugin-Statsd-2026-45180

cpan Catalyst-Plugin-Statsd

about 2 months ago

Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potent... CPANSA-Apache-Session-2013-10075

cpan Apache-Session

about 2 months ago

Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts. The built-in rand function is predictable, and unsuitable for cryptography. CPANSA-Crypt-PasswdMD5-2026-6659

cpan Crypt-PasswdMD5

about 2 months ago

Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.... CPANSA-Gazelle-2026-40562

cpan Gazelle

about 2 months ago

Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQU... CPANSA-Apache-Session-2026-5081

cpan Apache-Session

about 2 months ago

Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.... CPANSA-Starlet-2026-40561

cpan Starlet

about 2 months ago

Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely. The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand(... CPANSA-Dancer-2026-5080

cpan Dancer

about 2 months ago

Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getline_all methods invoke registered callb... CPANSA-Text-CSV_XS-2026-7111

cpan Text-CSV_XS

about 2 months ago

Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3... CPANSA-Starman-2026-40560

cpan Starman

about 2 months ago

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not co... CPANSA-Plack-2026-7381

cpan Plack

about 2 months ago

Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minify_utf8 ... CPANSA-Text-Minify-XS-2026-7040

cpan Text-Minify-XS

2 months ago

CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking. The Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC, Crypt::PK::Ed25519 and Crypt::PK::X25519 modules seed a per-object PRNG state in their const... CPANSA-CryptX-2026-41564

cpan CryptX

2 months ago

Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt. Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected ... CPANSA-Net-Dropbear-2025-15638

cpan Net-Dropbear

2 months ago

Storable versions before 3.05 for Perl has a stack overflow. The retrieve_hook function stored the length of the class name into a signed integer but in read operations treated the length as unsigned. This allowed an attacker to craft data that could ... CPANSA-Storable-2017-20230

cpan Storable

2 months ago

Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt.... CPANSA-Apache2-API-2026-5088

cpan Apache2-API

2 months ago

Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks. For example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password. CPANSA-Crypt-SecretBuffer-2026-5086

cpan Crypt-SecretBuffer

2 months ago

Solstice::Session versions through 1440 for Perl generates session ids insecurely. The _generateSessionID method returns an MD5 digest seeded by the epoch time, a random hash reference, a call to the built-in rand() function and the process id. The s... CPANSA-Solstice-2026-5085

cpan Solstice

2 months ago

Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass. _pack_ipv6() includes the sentinel byte from _pack_ipv4() when building the packed representation of IPv4 mapped addresses like ::ffff:... CPANSA-Net-CIDR-Lite-2026-40199

cpan Net-CIDR-Lite

2 months ago

Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. _pack_ipv6() does not check that uncompressed IPv6 addresses (without ::) have exactly 8 hex groups. Inputs like "abcd", "1:2:3", or "1:2:... CPANSA-Net-CIDR-Lite-2026-40198

cpan Net-CIDR-Lite

3 months ago

Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script. CPANSA-Net-MovableType-2026-25776

cpan MT

3 months ago

Ado::Sessions versions through 0.935 for Perl generates insecure session ids. The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epo... CPANSA--2026-5083

cpan Ado

3 months ago

Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id. The generate_session_id function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes usi... CPANSA-Amon2-Plugin-Web-CSRFDefender-2026-5082

cpan Amon2-Plugin-Web-CSRFDefender

3 months ago

Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key. Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsui... CPANSA-Business-OnlinePayment-StoredTransaction-2025-15618

cpan Business-OnlinePayment-StoredTransaction

3 months ago

PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely. PAGI::Middleware::Session::Store::Cookie attempts to read bytes from the /dev/urandom device directly. If that fails (for example, on system... CPANSA-PAGI-Middleware-Session-Store-Cookie-2026-5087

cpan PAGI-Middleware-Session-Store-Cookie

3 months ago

Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in th... CPANSA-Sereal-Decoder-2024-14030

cpan Sereal-Decoder

3 months ago

Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in th... CPANSA-Sereal-Encoder-2024-14031

cpan Sereal-Encoder

3 months ago

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable... CPANSA-perl-2026-4176

cpan perl

3 months ago

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable... CPANSA-Compress-Raw-Zlib-2026-4176

cpan Compress-Raw-Zlib

3 months ago

GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization. GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised... CPANSA-GRID-Machine-2026-4851

cpan GRID-Machine

3 months ago

HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids. HTTP::Session defaults to using HTTP::Session::ID::SHA1 to generate session ids using a SHA-1 hash seeded with the built-in rand function, the high resolu... CPANSA-http-session-2026-3256

cpan http-session

3 months ago

Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions. In versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then... CPANSA-Amon2-2025-15604

cpan Amon2

3 months ago

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server d... CPANSA-Plack-Middleware-Session-2014-125112

cpan Plack-Middleware-Session

3 months ago

XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack. In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals st... CPANSA-XML-Parser-2006-10003

cpan XML-Parser

3 months ago

XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes. A :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML input buffer because Perl'... CPANSA-XML-Parser-2006-10002

cpan XML-Parser

3 months ago

YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 ... CPANSA-YAML-Syck-2026-4177

cpan YAML-Syck

4 months ago

Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows. Combined aead encryption, combined signature creation, and bin2hex functions do not check that output size will be less than SIZE_MAX, which could lead to integer wr... CPANSA-Crypt-Sodium-XS-2026-30910

cpan Crypt-Sodium-XS

4 months ago

Crypt::NaCl::Sodium versions through 2.002 for Perl has potential integer overflows. bin2hex, encrypt, aes256gcm_encrypt_afternm and seal functions do not check that output size will be less than SIZE_MAX, which could lead to integer wraparound causin... CPANSA-Crypt-NaCl-Sodium-2026-30909

cpan Crypt-NaCl-Sodium

4 months ago

Plack::Middleware::Session::Simple versions through 0.04 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a sma... CPANSA-Plack-Middleware-Session-Simple-2025-40926

cpan Plack-Middleware-Session-Simple

4 months ago

Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, th... CPANSA-Apache-Session-2025-40931

cpan Apache-Session

4 months ago

Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator. Version v0.003 switched to use Data::Rand::Obscure instead of Crypt::Random for generation of a random initialisation vectors. Data::Rand::Obscure uses Perl's b... CPANSA-Net-NSCA-Client-2024-57854

cpan Net-NSCA-Client

4 months ago

Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib. Compress::Raw::Zlib includes a copy of the zlib library. Compress::Raw::Zlib version 2.220 includes zlib 1.3.2, which addresses findings fron the 7ASecurity... CPANSA-Compress-Raw-Zlib-2026-3381

cpan Compress-Raw-Zlib

4 months ago

UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library. UnQLite for Perl embeds the UnQLite library. Version 0.06 and earlier of the Perl module uses a version of the library from 2014 that may be vulnerable... CPANSA-UnQLite-2026-3257

cpan UnQLite

Filter by Severity

Moderate 210 High 101 Critical 49 Low 6

Filter by Package

perl 46 DBD-SQLite 42 MT 37 Mojolicious 18 Dpkg 14 Yukki 14 MySQL-Admin 13 Kossy 11 Zonemaster-GUI 11 App-Netdisco 10 YATT-Lite 10 SockJS 10 UR 10 Ukigumo-Server 10 Yancy 10 DBI 10 Zabbix-Reporter 10 Sidef 9 Stardust 9 JS-jQuery 9 Plack-Debugger 9 Resource-Pack-jQuery 9 Yote 9 Squatting 9 Net-Dropbear 7 Imager 7 DBD-mysql 7 File-Path 6 libwww-perl 6 Cpanel-JSON-XS 6 Archive-Tar 6 CGI 6 Sereal-Decoder 5 CryptX 5 ActivePerl 5 Win32-File-Summary 5 Git-Raw 5 Net-CIDR-Lite 5 IO-Compress 5 YAML-LibYAML 4 Tk 4 Jifty 4 Archive-Unzip-Burst 4 Net-CIDR-Set 4 Plack 4 Lemonldap-NG-Portal 4 Alien-SVN 4 HTTP-Tiny 4 CGI-Simple 4 Sereal-Encoder 4 Git-XS 4 Compress-Raw-Zlib 4 Encode 3 Apache-Session 3 Net-SNMP 3 XML-LibXML 3 YAML-Syck 3 Safe 3 Crypt-CBC 3 Crypt-Sodium-XS 3 Lemonldap-NG-Handler 3 Config-Model 3 DBD-Pg 3 mod_perl 3 SOAP-Lite 3 DBD-MariaDB 3 Plack-Middleware-Session 3 Dancer 3 UI-Dialog 3 Lemonldap-NG-Common 3 Image-ExifTool 3 Net-DNS 3 CPAN 3 Crypt-DSA 3 GBrowse 3 Lemonldap-NG-Manager 3 Perl6-Pugs 3 HTML-Parser 2 DataDog-DogStatsd 2 Boost-Graph 2 HTTP-Session2 2 CGI-Session 2 Crypt-NaCl-Sodium 2 Mozilla-CA 2 Catalyst-Runtime 2 FCGI 2 XML-Parser 2 cppAdaptive1 2 Alien-FreeImage 2 Perl-Tidy 2 Crypt-OpenSSL-PKCS12 2 Compress-Raw-Bzip2 2 Spreadsheet-ParseXLSX 2 PathTools 2 HarfBuzz-Shaper 2 MHonArc 2 YAML 2 BSON-XS 2 Apache-Session-Browseable 2 Crypt-SaltedHash 2 Archive-Zip 2 Digest 2 EasyTCP 2 Locale-Maketext 2 Storable 2 Crypt-Random 2 Tcl 2 App-cpanminus 2 Win32-Printer 2 App-revealup 2 POSIX-2008 2 Net-OpenID-Consumer 2 IO-Socket-SSL 2 Net-Statsd-Lite 2 HTTP-Daemon 2 PAR 2 Email-Address 2 DBIx-Class-EncodedColumn 2 Crypt-Perl 2 cppAdaptive2 2 Zonemaster-Backend 2 Plack-Middleware-Statsd 2 CBOR-XS 1 Catalyst-Action-REST 1 Crypt-ScryptKDF 1 Amon2-Auth-Site-LINE 1 XML-Atom 1 Net-Xero 1 JavaScript-Duktape 1 CPAN-Checksums 1 IPC-Run 1 JSON-XS 1 Unicode-LineBreak 1 Starman 1 CGI-Application-Plugin-AutoRunmode 1 Apache-Wyrd 1 WWW-UsePerl-Server 1 Net-IP-LPM 1 Net-IPv4Addr 1 Imager-File-GIF 1 Plack-Middleware-XSRFBlock 1 Gazelle 1 Amon2 1 Amon2-Plugin-Web-CSRFDefender 1 RPC-XML 1 eperl 1 Crypt-RandomEncryption 1 Mojo-DOM-Role-Analyzer 1 Mail-Audit 1 Graphics-ColorNames 1 Dancer2 1 Catalyst-Controller-Combine 1 PAR-Packer 1 Devel-StackTrace 1 ExtUtils-MakeMaker 1 Sub-HandlesVia 1 Crypt-SysRandom-XS 1 SVG-Sparkline 1 Apache2-API 1 App-Github-Email 1 Cmd-Dwarf 1 XML-Simple 1 Protocol-HTTP2 1 Search-OpenSearch-Server 1 WWW-Mechanize-Cached 1 Image-Info 1 MARC-File-XML 1 Term-ReadLine-Gnu 1 Otogiri 1 File-Temp 1 Pinto 1 LWP-Protocol-Net-Curl 1 Crypt-Primes 1 Catalyst-Plugin-Session 1 String-Compare-ConstantTime 1 Crypt-OpenSSL-RSA 1 Alien-PCRE2 1 Data-FormValidator 1 Clipboard 1 XML-Twig 1 Redis-Fast 1 Text-CSV_XS 1 Crypt-OpenSSL-DSA 1 Catalyst-Plugin-Authentication 1 Authen-SASL 1 Apache-AuthCAS 1 perl-ldap 1 Apache-SessionX 1 Amazon-Credentials 1 Crypt-PasswdMD5 1 Mojolicious-Plugin-OAuth2 1 Filesys-SmbClientParser 1 WWW-Mechanize 1 Template-Toolkit 1 PApp 1 Web-Passwd 1 CGI-Application-Dispatch 1 Crypt-Random-Source 1 Catalyst-Plugin-Static 1 Apache2-AuthAny 1

Filter by Repository

https://github.com/jquery/jquery 108 https://github.com/Perl/perl5 22 https://github.com/sqlite/sqlite 15 https://github.com/mojolicious/mojo 12 https://github.com/twbs/bootstrap 9 https://github.com/perl5-dbi/DBD-mysql 7 https://github.com/glennrp/libpng 6 https://github.com/briandfoy/cpan-security-advisory 6 https://sourceforge.net/projects/sourceforge.net 6 https://github.com/madler/zlib 6 https://github.com/rurban/Cpanel-JSON-XS 6 https://github.com/stigtsp/Net-CIDR-Lite 5 https://github.com/perl5-dbi/dbi 5 https://github.com/jib/archive-tar-new 5 https://github.com/pmqs/IO-Compress 4 https://github.com/facebook/zstd 4 https://github.com/libgit2/security 3 https://github.com/jquery/jquery-ui 3 https://github.com/dod38fr/config-model 3 https://github.com/DCIT/perl-CryptX 3 https://github.com/cpan-authors/YAML-Syck 3 https://github.com/kmx/alien-freeimage 3 https://github.com/redis/hiredis 3 https://github.com/libtom/libtomcrypt 3 https://github.com/tonycoz/imager 3 https://github.com/libwww-perl/libwww-perl 2 https://github.com/PerlDancer/Dancer 2 https://github.com/chartjs/Chart.js 2 https://github.com/svaarala/duktape 2 https://github.com/libwww-perl/HTTP-Daemon 2 https://github.com/miyagawa/cpanminus 2 https://github.com/zonemaster/zonemaster-backend 2 https://github.com/LemonLDAPNG/Apache-Session-Browseable 2 https://github.com/ingydotnet/yaml-libyaml-pm 2 https://github.com/robrwo/Plack-Middleware-Statsd 2 https://github.com/ingydotnet/yaml-pm 2 https://github.com/FGasper/p5-Crypt-Perl 2 https://github.com/cpan-authors/XML-Parser 2 https://github.com/chansen/p5-http-tiny 2 https://github.com/robrwo/perl-Crypt-SaltedHash 2 https://github.com/cpan-authors/crypt-nacl-sodium 2 https://github.com/andk/cpanpm 2 https://github.com/tokuhirom/HTTP-Session2 2 https://github.com/richgel999/miniz 2 https://github.com/AndyA/CGI--Simple 2 https://github.com/hashcat/hashcat 2 https://github.com/libtom/libtommath 2 https://github.com/mitmproxy/pdoc 2 https://github.com/jedisct1/libsodium 2 https://github.com/exiftool/exiftool 2 https://github.com/blog/1938-git-client-vulnerability-announced 2 https://github.com/hatukanezumi/Unicode-LineBreak 1 https://github.com/gitpan/PerlSpeak 1 https://github.com/perl-net-saml2/perl-XML-Sig 1 https://github.com/perl-catalyst/Catalyst-Plugin-Authentication 1 https://sourceforge.net/projects/net-snmp 1 https://github.com/plack/Plack-Middleware-Session 1 https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd 1 https://github.com/cosimo/perl5-net-statsd 1 https://github.com/josdejong/jsoneditor 1 https://github.com/libwww-perl/HTML-Parser 1 https://github.com/houseabsolute/Data-Validate-IP 1 https://github.com/dagolden/Capture-Tiny 1 https://github.com/dajobe/raptor 1 https://github.com/toddr/Crypt-OpenSSL-RSA 1 https://github.com/robrwo/CatalystX-Statsd 1 https://github.com/redhotpenguin/perl-soaplite 1 https://github.com/miyagawa/Starman 1 https://github.com/dankogai/p5-encode 1 https://github.com/wrog/Net-OpenID-Consumer 1 https://github.com/ytnobody/Otogiri 1 https://github.com/cromedome/cgi-application-plugin-captcha 1 https://github.com/preaction/Log-Any 1 https://github.com/mtrmac/IPTables-Parse 1 https://github.com/richardc/perl-file-find-rule 1 https://github.com/hakimel/reveal.js 1 https://github.com/atoomic/Crypt-Random 1 https://github.com/libwww-perl/lwp-protocol-https 1 https://github.com/cpan-authors/XML-LibXML 1 https://github.com/cpan-authors/Text-CSV_XS 1 https://github.com/amaltsev/XAO-Web 1 https://github.com/xsawyerx/app-genpass 1 https://github.com/bluefeet/GitLab-API-v4 1 https://github.com/gbarr/perl-authen-sasl 1 https://github.com/FastCGI-Archives/fcgi2 1 https://github.com/LemonLDAPNG/Apache-Session-LDAP 1 https://github.com/rjbs/Email-MIME 1 https://github.com/dsully/perl-crypt-openssl-pkcs12 1 https://github.com/zhuowei/worthdoingbadly.com 1 https://github.com/kazeburo/Kossy 1 https://github.com/sgnix/kelp 1 https://github.com/certifi/python-certifi 1 https://github.com/kberov/Ado 1 https://github.com/ycdxsb/WindowsPrivilegeEscalation 1 https://github.com/gray/compress-lz4 1 https://github.com/kraih/mojo 1 https://github.com/redhotpenguin/perl-Archive-Zip 1 https://github.com/perl-catalyst/FCGI 1 https://github.com/Perl-Toolchain-Gang/ExtUtils-MakeMaker 1 https://github.com/svarshavchik/Net-CIDR 1 https://github.com/harfbuzz/harfbuzz 1 https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP 1 https://github.com/Leont/crypt-argon2 1 https://github.com/jberger/Galileo 1 https://github.com/pjuhasz/JSON-SIMD 1 https://github.com/faraco/App-Github-Email 1 https://github.com/plack/Plack 1 https://github.com/moment/moment 1 https://github.com/moxiecode/plupload 1 https://github.com/jkeenan/File-Path 1 https://github.com/abw/Template2 1 https://github.com/marcusramberg/Mojolicious-Plugin-OAuth2 1 https://github.com/atrodo/Net-Dropbear 1 https://github.com/Perl-Toolchain-Gang/HTTP-Tiny 1 https://github.com/snapappointments/bootstrap-select 1 https://github.com/robrwo/Net-Statsd-Lite 1 https://github.com/perltidy/perltidy 1 https://github.com/robrwo/Text-Minify-XS 1 https://github.com/markstos/CGI.pm 1 https://github.com/perl-catalyst/Catalyst-Plugin-Session 1 https://github.com/rjbs/Email-Address 1 https://github.com/clintongormley/perl-html-stripscripts 1 https://github.com/robrwo/Net-Statsd-Tiny 1 https://github.com/mkj/dropbear 1 https://github.com/Perl-Toolchain-Gang/File-Temp 1 https://github.com/Dual-Life/Devel-PPPort 1 https://github.com/kazuho/Starlet 1 https://bitbucket.org/shlomif/perl-config-inifiles 1 https://bitbucket.org/xi/libyaml 1 https://github.com/bwva/Concierge-Sessions 1 https://github.com/google/brotli 1 https://github.com/haile01/perl_spreadsheet_excel_rce_poc 1 https://github.com/karpet/Dezi 1 https://github.com/bluefeet/Starch 1 https://github.com/gisle/html-parser 1 https://github.com/angular/angular.js 1 https://github.com/DCIT/perl-Crypt-JWT 1 https://github.com/perl-Crypt-OpenPGP/Crypt-Random 1 https://github.com/jmcnamara/spreadsheet-parseexcel 1 https://github.com/thaljef/Pinto 1 https://github.com/karenetheridge/Crypt-Random-Source 1 https://github.com/tchatzi/Authen-TOTP 1 https://github.com/gbarr/perl-Convert-ASN1 1 https://github.com/Sereal/Sereal 1 https://github.com/creaktive/LWP-Protocol-Net-Curl 1 https://github.com/seagirl/dwarf 1 https://github.com/yuki-kimoto/DBIx-Custom 1 https://github.com/robrwo/perl-Net-CIDR-Set 1 https://github.com/markstos/CGI--Application 1 https://github.com/mojomojo/mojomojo 1 https://github.com/tokuhirom/Amon 1 https://github.com/libwww-perl/WWW-Mechanize-Cached 1 https://github.com/lstein/Lib-Crypt-CBC 1 https://github.com/rschupp/Module-ScanDeps 1 https://github.com/PerlDancer/Dancer2 1 https://github.com/grantm/xml-simple 1 https://github.com/kazeburo/Plack-Middleware-Session-Simple 1 https://github.com/karpet/search-opensearch-server 1 https://github.com/gwadej/svg-sparkline 1 https://github.com/gnustavo/SVN-Look 1 https://github.com/atoomic/Crypt-Primes 1