Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

cpan

cpan

374 packages · metacpan.org

Security Advisories in cpan

about 1 year ago

PerlSpeak through 2.01 allows attackers to execute arbitrary OS commands, as demonstrated by use of system and 2-argument open. CPANSA-PerlSpeak-2011-10007

cpan PerlSpeak
High
over 10 years ago

Digest::SHA before 5.96 with perls earlier than v5.26 included the current working directory in the module search path, which could lead to the inadvernant loading of unexpected versions of a module. The current directory was removed from the default m... CPANSA-Digest-SHA-2016-1238

cpan Digest-SHA
over 10 years ago

Allows remote attackers to execute arbitrary commands. CPANSA-UI-Dialog-2015-01

cpan UI-Dialog
almost 12 years ago

The (1) mkxmltype and (2) mkdtskel scripts in XML-DT before 0.64 allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_xml_##### temporary file. CPANSA-XML-DT-2014-5260

cpan XML-DT
High
almost 10 years ago

Imager would search the default current directory entry in @INC when searching for file format support modules. CPANSA-Imager-2016-1238

cpan Imager
about 18 years ago

Buffer overflow in Imager 0.42 through 0.63 allows attackers to cause a denial of service (crash) via an image based fill in which the number of input channels is different from the number of output channels. CPANSA-Imager-2008-1928

cpan Imager
about 19 years ago

Heap-based buffer overflow in the BMP reader (bmp.c) in Imager perl module (libimager-perl) 0.45 through 0.56 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted 8-bit/pixel compresse... CPANSA-Imager-2007-2459

cpan Imager
about 20 years ago

Imager (libimager-perl) before 0.50 allows user-assisted attackers to cause a denial of service (segmentation fault) by writing a 2- or 4-channel JPEG image (or a 2-channel TGA image) to a scalar, which triggers a NULL pointer dereference. CPANSA-Imager-2006-0053

cpan Imager
about 1 month ago

Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files. Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer GifRow sized for the GIF's global screen width 'SWidth' and reuse... CPANSA-Imager-2026-8669

cpan Imager
High
almost 10 years ago

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/... CPANSA-IPC-Cmd-2016-1238

cpan IPC-Cmd
over 8 years ago

Insecure dependency on Email::Address. CPANSA-App-Github-Email-2018-01

cpan App-Github-Email
High
over 6 years ago

The Batch::Batchrun module 1.03 for Perl does not properly handle temporary files. CPANSA-Batch-Batchrun-2011-4117

cpan Batch-Batchrun
over 17 years ago

perl-MDK-Common 1.1.11 and 1.1.24, 1.2.9 through 1.2.14, and possibly other versions, in Mandriva Linux does not properly handle strings when writing them to configuration files, which allows attackers to gain privileges via "special characters" in uns... CPANSA-MDK-Common-2009-0912

cpan MDK-Common
Moderate
over 4 years ago

Duktape v2.99.99 was discovered to contain a SEGV vulnerability via the component duk_push_tval in duktape/duk_api_stack.c. CPANSA-JavaScript-Duktape-2021-46322-duktape

cpan JavaScript-Duktape
over 2 years ago

The makerandom program that comes with Crypt::Random adds module search paths in its shebang line, potentially leading to issues with unexpected modules being loaded CPANSA-Crypt-Random-2024-001

cpan Crypt-Random
over 1 year ago

Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions. If the Provider is not specified and /dev/urandom or an Entropy Gathering Daemon (egd) service is not availabl... CPANSA-Crypt-Random-2025-1828

cpan Crypt-Random
2 months ago

Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt.... CPANSA-Apache2-API-2026-5088

cpan Apache2-API
almost 14 years ago

The Config::IniFiles module before 2.71 for Perl creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack. NOTE: some of these details are obtained from third party information. NOTE: ... CPANSA-Config-IniFiles-2012-2451

cpan Config-IniFiles
28 days ago

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "v... CPANSA-Template-Toolkit-2026-5090

cpan Template-Toolkit
almost 12 years ago

The _rl_tropen function in util.c in GNU readline before 6.3 patch 3 allows local users to create or overwrite arbitrary files via a symlink attack on a /var/tmp/rltrace.[PID] file. CPANSA-Term-ReadLine-Gnu-2014-2524

cpan Term-ReadLine-Gnu
about 1 year ago

Crypt::Salt for Perl version 0.01 uses insecure rand() function when generating salts for cryptographic purposes. CPANSA-Crypt-Salt-2025-1805

cpan Crypt-Salt
3 months ago

Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key. Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call to the built-in rand function, which is unsui... CPANSA-Business-OnlinePayment-StoredTransaction-2025-15618

cpan Business-OnlinePayment-StoredTransaction
5 months ago

HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability.  Versions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled as hb_src.tar.gz in the source tarball, which is affected by CV... CPANSA-HarfBuzz-Shaper-2026-0943

cpan HarfBuzz-Shaper
over 2026 years ago

When debug messaging is enabled using hb_buffer_set_message_func, a maliciously crafted font can trigger a buffer overflow using a complicated sequence lookup, leading to unauthorised overwriting of other data. CPANSA-HarfBuzz-Shaper-0000-0000-harfbuzz

cpan HarfBuzz-Shaper
17 days ago

Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters. Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the... CPANSA-Unicode-LineBreak-2026-8594

cpan Unicode-LineBreak
Critical
over 4 years ago

lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection. CPANSA-Image-ExifTool-2022-23935

cpan Image-ExifTool
about 5 years ago

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image CPANSA-Image-ExifTool-2021-22204

cpan Image-ExifTool
over 7 years ago

ExifTool 8.32 allows local users to gain privileges by creating a %TEMP%\\par-%username%\\cache-exiftool-8.32 folder with a victim's username, and then copying a Trojan horse ws32_32.dll file into this new folder, aka DLL Hijacking. NOTE: 8.32 is an ob... CPANSA-Image-ExifTool-2018-20211

cpan Image-ExifTool
about 1 month ago

Web::Passwd versions through 0.03 for Perl is vulnerable to RCE. Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command. The user parameter is not validated or escaped, and is used as the last argument on the co... CPANSA-Web-Passwd-2026-8500

cpan Web-Passwd
High
over 6 years ago

An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would ... CPANSA-Alien-PCRE2-2019-20454

cpan Alien-PCRE2
11 months ago

Authen::DigestMD5 versions 0.01 through 0.02 for Perl generate the cnonce insecurely. The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and... CPANSA-Authen-DigestMD5-2025-40919

cpan Authen-DigestMD5
about 9 years ago

The DBD::mysql module through 4.043 for Perl allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by triggering (1) certain error responses from a MySQL server or (2) a lo... CPANSA-DBD-mysql-2017-02

cpan DBD-mysql
about 9 years ago

The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a "your communication with the server will be encrypted" statement), which allows man-in-the-middle att... CPANSA-DBD-mysql-2017-01

cpan DBD-mysql
over 9 years ago

Buffer overflow in the DBD::mysql module before 4.037 for Perl allows context-dependent attackers to cause a denial of service (crash) via vectors related to an error message. CPANSA-DBD-mysql-2016-02

cpan DBD-mysql
almost 10 years ago

Use-after-free vulnerability in the my_login function in DBD::mysql before 4.033_01 allows attackers to have unspecified impact by leveraging a call to mysql_errno after a failure of my_login. CPANSA-DBD-mysql-2016-01

cpan DBD-mysql
over 20 years ago

Mail::Audit module in libmail-audit-perl 2.1-5, when logging is enabled without a default log file specified, uses predictable log filenames, which allows local users to overwrite arbitrary files via a symlink attack on the [PID]-audit.log temporary file. CPANSA-Mail-Audit-2005-4536

cpan Mail-Audit
almost 14 years ago

Arbitrary Perl methods could be called via HTTP like RPC. CPANSA-Search-OpenSearch-Server-2012-01

cpan Search-OpenSearch-Server
almost 12 years ago

Inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via an empty quoted string in an RFC 2822 address. CPANSA-Email-Address-2014-01

cpan Email-Address
almost 12 years ago

Email::Address module before 1.904 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via vectors related to "backtracking into the phrase," a different vulnerability than CVE-2... CPANSA-Email-Address-2014-4720

cpan Email-Address
almost 14 years ago

Multiple format string vulnerabilities in the error reporting functionality in the YAML::LibYAML (aka YAML-LibYAML and perl-YAML-LibYAML) module 0.38 for Perl allow remote attackers to cause a denial of service (process crash) via format string specifi... CPANSA-YAML-LibYAML-2012-1152

cpan YAML-LibYAML
Critical
about 1 year ago

YAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing existing files to be modified CPANSA-YAML-LibYAML-2025-001

cpan YAML-LibYAML
about 1 year ago

Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens. That version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function. CPANSA-Mojolicious-Plugin-CSRF-2025-40915

cpan Mojolicious-Plugin-CSRF
High
about 4 years ago

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. CPANSA-cppAdaptive1-2018-25032-zlib

cpan cppAdaptive1
over 7 years ago

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, ... CPANSA-Plack-Debugger-2019-5428-jquery

cpan Plack-Debugger
Moderate
about 6 years ago

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This proble... CPANSA-Yukki-2020-11022-jquery

cpan Yukki
2 months ago

Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. _pack_ipv6() does not check that uncompressed IPv6 addresses (without ::) have exactly 8 hex groups. Inputs like "abcd", "1:2:3", or "1:2:... CPANSA-Net-CIDR-Lite-2026-40198

cpan Net-CIDR-Lite
2 months ago

Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass. _pack_ipv6() includes the sentinel byte from _pack_ipv4() when building the packed representation of IPv4 mapped addresses like ::ffff:... CPANSA-Net-CIDR-Lite-2026-40199

cpan Net-CIDR-Lite
Moderate
about 6 years ago

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may exec... CPANSA-Yukki-2020-11023-jquery

cpan Yukki
Moderate
about 7 years ago

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the nat... CPANSA-Yukki-2019-11358-jquery

cpan Yukki
Moderate
over 8 years ago

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. CPANSA-Yukki-2015-9251-jquery

cpan Yukki
about 1 month ago

Crypt::DSA versions before 1.20 for Perl generate seeds using rand. Seeds were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage. CPANSA-Crypt-DSA-2026-8700

cpan Crypt-DSA
Moderate
over 8 years ago

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for... CPANSA-Yukki-2012-6708-jquery

cpan Yukki
Moderate
about 6 years ago

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be e... CPANSA-Yukki-2020-7656-jquery

cpan Yukki
about 1 year ago

Data::Entropy for Perl 0.007 and earlier use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. CPANSA-Data-Entropy-2025-1860

cpan Data-Entropy
about 15 years ago

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CPANSA-Mojolicious-2011-1841

cpan Mojolicious
over 7 years ago

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, ... CPANSA-Yukki-2019-5428-jquery

cpan Yukki
Moderate
over 8 years ago

jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after. CPANSA-Yukki-2014-6071-jquery

cpan Yukki
Moderate
over 4 years ago

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The val... CPANSA-Yukki-2021-41183-jqueryui

cpan Yukki
Moderate
over 4 years ago

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string val... CPANSA-Yukki-2021-41184-jqueryui

cpan Yukki
High
over 4 years ago

This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file. CPANSA-Yukki-2021-23562-plupload

cpan Yukki
Moderate
about 10 years ago

Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. CPANSA-Yukki-2016-4566-plupload

cpan Yukki
over 17 years ago

Unspecified vulnerability in Movable Type Pro and Community Solution 4.x before 4.24 has unknown impact and attack vectors, possibly related to the password recovery mechanism. CPANSA-MT-2009-0752

cpan MT
over 18 years ago

POSIX::2008's implementation of readlink() and readlinkat(). The underlying syscalls do not add any null terminator byte at the end of the output buffer, but _readlink50c() in 2008.XS also fails to add a null terminator before returning the result stri... CPANSA-POSIX-2008-001

cpan POSIX-2008
over 2 years ago

Fixed potential env buffer overflow in _execve50c() CPANSA-POSIX-2008-002

cpan POSIX-2008
over 17 years ago

When running on Apache with thread support setMacros and setGroups were not launched with the good datas. CPANSA-Lemonldap-NG-Portal-2009-01

cpan Lemonldap-NG-Portal
High
almost 5 years ago

An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two diffe... CPANSA-Lemonldap-NG-Portal-2021-35472-lemonldap

cpan Lemonldap-NG-Portal
Low
over 5 years ago

OAuth2 handler does not verify access token validity CPANSA-Lemonldap-NG-Portal-2021-35473-lemonldap

cpan Lemonldap-NG-Portal
almost 4 years ago

An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined ... CPANSA-Lemonldap-NG-Portal-2021-40874-lemonldap

cpan Lemonldap-NG-Portal
High
over 5 years ago

This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, durin... CPANSA-Ukigumo-Server-2020-7746-chartjs

cpan Ukigumo-Server
Moderate
about 6 years ago

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This proble... CPANSA-Ukigumo-Server-2020-11022-jquery

cpan Ukigumo-Server
Moderate
about 6 years ago

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may exec... CPANSA-Ukigumo-Server-2020-11023-jquery

cpan Ukigumo-Server
Moderate
about 7 years ago

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the nat... CPANSA-Ukigumo-Server-2019-11358-jquery

cpan Ukigumo-Server
High
almost 8 years ago

In Miniz 2.0.7, tinfl_decompress in miniz_tinfl.c has an infinite loop because sym2 and counter can both remain equal to zero. CPANSA-Sereal-Encoder-2018-12913-miniz

cpan Sereal-Encoder
Moderate
over 8 years ago

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. CPANSA-Ukigumo-Server-2015-9251-jquery

cpan Ukigumo-Server
over 13 years ago

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag. CPANSA-Ukigumo-Server-2011-4969-jquery

cpan Ukigumo-Server
Moderate
over 8 years ago

jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after. CPANSA-Ukigumo-Server-2014-6071-jquery

cpan Ukigumo-Server
about 12 years ago

The PlRPC module, possibly 0.2020 and earlier, for Perl uses the Storable module, which allows remote attackers to execute arbitrary code via a crafted request, which is not properly handled when it is deserialized. CPANSA-PlRPC-2013-7284

cpan PlRPC
over 11 years ago

JSON highjacking possibility. CPANSA-Cmd-Dwarf-2014-01

cpan Cmd-Dwarf
almost 20 years ago

Jifty did not protect users against a class of remote data access vulnerability. If an attacker knew the structure of your local filesystem and you were using the "standalone" webserver in production, the attacker could gain read only access to local f... CPANSA-Jifty-2006-01

cpan Jifty
High
almost 5 years ago

An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two diffe... CPANSA-Lemonldap-NG-Manager-2021-35472-lemonldap

cpan Lemonldap-NG-Manager
Low
over 5 years ago

OAuth2 handler does not verify access token validity CPANSA-Lemonldap-NG-Manager-2021-35473-lemonldap

cpan Lemonldap-NG-Manager
almost 4 years ago

An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined ... CPANSA-Lemonldap-NG-Manager-2021-40874-lemonldap

cpan Lemonldap-NG-Manager
about 5 years ago

The Data::Validate::IP module through 0.29 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses. CPANSA-Data-Validate-IP-2021-01

cpan Data-Validate-IP
Critical
about 10 years ago

Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-ba... CPANSA-Alien-OTR-2016-2851-libotr

cpan Alien-OTR
4 months ago

Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions. Smolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic fun... CPANSA-Smolder-2024-58041

cpan Smolder
about 1 month ago

Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys. Amazon::Credentials stores credentials in an obfuscated form to prevent access to the secrets from a data dump of the object. Before version 1.3.0, the secrets... CPANSA-Amazon-Credentials-2026-6146

cpan Amazon-Credentials
over 2 years ago

closed potential security issue with deeply nested paramters in the DBIC glue code. This was a hack that could let someone create a child record if you were allowing find_by_unique rather than find by primary key. CPANSA-Valiant-2024-001

cpan Valiant
about 14 years ago

Multiple cross-site scripting (XSS) vulnerabilities in the topic administration page. CPANSA-RT-Extension-MobileUI-2012-01

cpan RT-Extension-MobileUI
over 11 years ago

Param injection in case of several parameters of the same name are present. CPANSA-Mojolicious-Plugin-OAuth2-2014-01

cpan Mojolicious-Plugin-OAuth2
about 1 month ago

Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.... CPANSA-Gazelle-2026-40562

cpan Gazelle
12 months ago

Net::IP::LPM version 1.10 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, whi... CPANSA-Net-IP-LPM-2025-40910

cpan Net-IP-LPM
almost 2 years ago

pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1. CPANSA-Mojo-DOM-Role-Analyzer-2024-38526

cpan Mojo-DOM-Role-Analyzer
High
over 5 years ago

A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data. CPANSA-DBI-2020-01

cpan DBI
High
almost 6 years ago

An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability. CPANSA-DBI-2020-03

cpan DBI
over 3 years ago

Wrong error messages/sometimes crashes or endless loops with invalid JSON in relaxed mode CPANSA-Cpanel-JSON-XS-2023-01

cpan Cpanel-JSON-XS
High
over 5 years ago

An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference. CPANSA-DBI-2020-02

cpan DBI
High
over 11 years ago

DBD::File drivers open files from folders other than specifically passed using the f_dir attribute. CPANSA-DBI-2014-01

cpan DBI
about 21 years ago

Allows local users to overwrite arbitrary files via a symlink attack on a temporary PID file. CPANSA-DBI-2005-01

cpan DBI
Moderate
almost 6 years ago

An issue was discovered in the DBI module before 1.632 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute. CPANSA-DBI-2014-10401

cpan DBI
over 8 years ago

In versions prior to 0.13, rand could be used as a result of calling get_weak, or get, if no random device was available. This implies that not explicitly asking for get_strong on a non POSIX operating system (e.g. Win32 without the Win32 backend) coul... CPANSA-Crypt-Random-Source-2024-001

cpan Crypt-Random-Source

Filter by Severity

Moderate 210 High 101 Critical 49 Low 6

Filter by Package

perl 45 DBD-SQLite 42 MT 37 Mojolicious 18 Yukki 14 Dpkg 14 MySQL-Admin 13 Zonemaster-GUI 11 Kossy 11 Yancy 10 App-Netdisco 10 UR 10 SockJS 10 DBI 10 Ukigumo-Server 10 YATT-Lite 10 Zabbix-Reporter 10 Resource-Pack-jQuery 9 JS-jQuery 9 Squatting 9 Plack-Debugger 9 Stardust 9 Sidef 9 Yote 9 Net-Dropbear 7 Imager 7 DBD-mysql 7 Archive-Tar 6 libwww-perl 6 File-Path 6 CGI 6 Cpanel-JSON-XS 6 Sereal-Decoder 5 ActivePerl 5 Net-CIDR-Lite 5 IO-Compress 5 CryptX 5 Git-Raw 5 Win32-File-Summary 5 Alien-SVN 4 Jifty 4 Archive-Unzip-Burst 4 HTTP-Tiny 4 Sereal-Encoder 4 Lemonldap-NG-Portal 4 Plack 4 CGI-Simple 4 Compress-Raw-Zlib 4 YAML-LibYAML 4 Git-XS 4 Tk 4 Net-CIDR-Set 4 YAML-Syck 3 Apache-Session 3 Net-SNMP 3 XML-LibXML 3 Crypt-CBC 3 Safe 3 Crypt-Sodium-XS 3 Lemonldap-NG-Handler 3 Config-Model 3 mod_perl 3 DBD-Pg 3 SOAP-Lite 3 Dancer 3 DBD-MariaDB 3 Plack-Middleware-Session 3 UI-Dialog 3 Lemonldap-NG-Common 3 Image-ExifTool 3 Crypt-DSA 3 Net-DNS 3 CPAN 3 Encode 3 Lemonldap-NG-Manager 3 GBrowse 3 Perl6-Pugs 3 HTML-Parser 2 XML-Parser 2 HTTP-Session2 2 Boost-Graph 2 App-revealup 2 Crypt-OpenSSL-PKCS12 2 FCGI 2 cppAdaptive2 2 Crypt-NaCl-Sodium 2 Catalyst-Runtime 2 Alien-FreeImage 2 Mozilla-CA 2 cppAdaptive1 2 Perl-Tidy 2 DBIx-Class-EncodedColumn 2 PathTools 2 YAML 2 HarfBuzz-Shaper 2 MHonArc 2 Spreadsheet-ParseXLSX 2 Crypt-SaltedHash 2 Digest 2 Archive-Zip 2 Apache-Session-Browseable 2 EasyTCP 2 Storable 2 BSON-XS 2 Locale-Maketext 2 App-cpanminus 2 Crypt-Random 2 Tcl 2 Email-Address 2 POSIX-2008 2 Net-OpenID-Consumer 2 IO-Socket-SSL 2 Win32-Printer 2 HTTP-Daemon 2 Net-Statsd-Lite 2 Crypt-Perl 2 CGI-Session 2 Compress-Raw-Bzip2 2 PAR 2 Zonemaster-Backend 2 Plack-Middleware-Statsd 2 DataDog-DogStatsd 2 Module-Metadata 1 CBOR-XS 1 Catalyst-Action-REST 1 Crypt-ScryptKDF 1 Amon2-Auth-Site-LINE 1 Net-Xero 1 XML-Atom 1 JavaScript-Duktape 1 IPC-Run 1 CPAN-Checksums 1 JSON-XS 1 Unicode-LineBreak 1 Starman 1 CGI-Application-Plugin-AutoRunmode 1 Apache-Wyrd 1 WWW-UsePerl-Server 1 Net-IP-LPM 1 Imager-File-GIF 1 Net-IPv4Addr 1 Plack-Middleware-XSRFBlock 1 Gazelle 1 Amon2 1 Amon2-Plugin-Web-CSRFDefender 1 RPC-XML 1 eperl 1 Crypt-RandomEncryption 1 Mojo-DOM-Role-Analyzer 1 Mail-Audit 1 Graphics-ColorNames 1 Dancer2 1 Catalyst-Controller-Combine 1 PAR-Packer 1 Devel-StackTrace 1 ExtUtils-MakeMaker 1 Crypt-SysRandom-XS 1 Sub-HandlesVia 1 SVG-Sparkline 1 Apache2-API 1 App-Github-Email 1 XML-Simple 1 Cmd-Dwarf 1 Protocol-HTTP2 1 Search-OpenSearch-Server 1 WWW-Mechanize-Cached 1 Image-Info 1 MARC-File-XML 1 Otogiri 1 Term-ReadLine-Gnu 1 File-Temp 1 Pinto 1 LWP-Protocol-Net-Curl 1 Crypt-Primes 1 Catalyst-Plugin-Session 1 String-Compare-ConstantTime 1 Crypt-OpenSSL-RSA 1 Alien-PCRE2 1 Data-FormValidator 1 Clipboard 1 XML-Twig 1 Redis-Fast 1 Text-CSV_XS 1 Crypt-OpenSSL-DSA 1 Catalyst-Plugin-Authentication 1 Authen-SASL 1 Apache-AuthCAS 1 perl-ldap 1 Apache-SessionX 1 Amazon-Credentials 1 Crypt-PasswdMD5 1 Mojolicious-Plugin-OAuth2 1 Filesys-SmbClientParser 1 WWW-Mechanize 1 Template-Toolkit 1 PApp 1 Web-Passwd 1 CGI-Application-Dispatch 1 Crypt-Random-Source 1 Catalyst-Plugin-Static 1

Filter by Repository

https://github.com/jquery/jquery 108 https://github.com/Perl/perl5 22 https://github.com/sqlite/sqlite 15 https://github.com/mojolicious/mojo 12 https://github.com/twbs/bootstrap 9 https://github.com/perl5-dbi/DBD-mysql 7 https://github.com/madler/zlib 6 https://github.com/glennrp/libpng 6 https://github.com/rurban/Cpanel-JSON-XS 6 https://sourceforge.net/projects/sourceforge.net 6 https://github.com/briandfoy/cpan-security-advisory 6 https://github.com/stigtsp/Net-CIDR-Lite 5 https://github.com/jib/archive-tar-new 5 https://github.com/perl5-dbi/dbi 5 https://github.com/facebook/zstd 4 https://github.com/pmqs/IO-Compress 4 https://github.com/tonycoz/imager 3 https://github.com/DCIT/perl-CryptX 3 https://github.com/dod38fr/config-model 3 https://github.com/redis/hiredis 3 https://github.com/kmx/alien-freeimage 3 https://github.com/cpan-authors/YAML-Syck 3 https://github.com/jquery/jquery-ui 3 https://github.com/libgit2/security 3 https://github.com/libtom/libtomcrypt 3 https://github.com/andk/cpanpm 2 https://github.com/chansen/p5-http-tiny 2 https://github.com/exiftool/exiftool 2 https://github.com/jedisct1/libsodium 2 https://github.com/richgel999/miniz 2 https://github.com/robrwo/Plack-Middleware-Statsd 2 https://github.com/chartjs/Chart.js 2 https://github.com/robrwo/perl-Crypt-SaltedHash 2 https://github.com/ingydotnet/yaml-libyaml-pm 2 https://github.com/AndyA/CGI--Simple 2 https://github.com/PerlDancer/Dancer 2 https://github.com/libtom/libtommath 2 https://github.com/cpan-authors/XML-Parser 2 https://github.com/blog/1938-git-client-vulnerability-announced 2 https://github.com/ingydotnet/yaml-pm 2 https://github.com/FGasper/p5-Crypt-Perl 2 https://github.com/hashcat/hashcat 2 https://github.com/zonemaster/zonemaster-backend 2 https://github.com/libwww-perl/libwww-perl 2 https://github.com/cpan-authors/crypt-nacl-sodium 2 https://github.com/svaarala/duktape 2 https://github.com/libwww-perl/HTTP-Daemon 2 https://github.com/miyagawa/cpanminus 2 https://github.com/mitmproxy/pdoc 2 https://github.com/LemonLDAPNG/Apache-Session-Browseable 2 https://github.com/tokuhirom/HTTP-Session2 2 https://github.com/kraih/mojo 1 https://github.com/redhotpenguin/perl-Archive-Zip 1 https://github.com/svarshavchik/Net-CIDR 1 https://github.com/certifi/python-certifi 1 https://github.com/Perl-Toolchain-Gang/ExtUtils-MakeMaker 1 https://github.com/faraco/App-Github-Email 1 https://github.com/moment/moment 1 https://github.com/moxiecode/plupload 1 https://github.com/zhuowei/worthdoingbadly.com 1 https://github.com/Dual-Life/Devel-PPPort 1 https://github.com/rjbs/Email-Address 1 https://github.com/perl-catalyst/Catalyst-Plugin-Session 1 https://github.com/rjbs/Email-MIME 1 https://github.com/markstos/CGI.pm 1 https://github.com/LemonLDAPNG/Apache-Session-LDAP 1 https://github.com/FastCGI-Archives/fcgi2 1 https://github.com/robrwo/Text-Minify-XS 1 https://github.com/redhotpenguin/perl-soaplite 1 https://github.com/gbarr/perl-authen-sasl 1 https://github.com/xsawyerx/app-genpass 1 https://github.com/hakimel/reveal.js 1 https://github.com/toddr/Crypt-OpenSSL-RSA 1 https://github.com/atoomic/Crypt-Primes 1 https://github.com/tchatzi/Authen-TOTP 1 https://github.com/karenetheridge/Crypt-Random-Source 1 https://github.com/dajobe/raptor 1 https://github.com/josdejong/jsoneditor 1 https://github.com/gisle/html-parser 1 https://github.com/bluefeet/Starch 1 https://github.com/cosimo/perl5-net-statsd 1 https://github.com/kazeburo/Plack-Middleware-Session-Simple 1 https://github.com/rschupp/Module-ScanDeps 1 https://github.com/cromedome/cgi-application-plugin-captcha 1 https://github.com/libwww-perl/WWW-Mechanize-Cached 1 https://github.com/perl-catalyst/Catalyst-Plugin-Authentication 1 https://github.com/mojomojo/mojomojo 1 https://github.com/yuki-kimoto/DBIx-Custom 1 https://github.com/creaktive/LWP-Protocol-Net-Curl 1 https://github.com/seagirl/dwarf 1 https://github.com/dankogai/p5-encode 1 https://github.com/miyagawa/Starman 1 https://github.com/gitpan/PerlSpeak 1 https://github.com/kberov/Ado 1 https://github.com/jkeenan/File-Path 1 https://github.com/abw/Template2 1 https://bitbucket.org/shlomif/perl-config-inifiles 1 https://github.com/robrwo/perl-Net-CIDR-Set 1 https://github.com/markstos/CGI--Application 1 https://github.com/tokuhirom/Amon 1 https://github.com/lstein/Lib-Crypt-CBC 1 https://github.com/PerlDancer/Dancer2 1 https://github.com/grantm/xml-simple 1 https://github.com/karpet/search-opensearch-server 1 https://github.com/gwadej/svg-sparkline 1 https://github.com/gnustavo/SVN-Look 1 https://bitbucket.org/xi/libyaml 1 https://github.com/bwva/Concierge-Sessions 1 https://github.com/google/brotli 1 https://github.com/haile01/perl_spreadsheet_excel_rce_poc 1 https://github.com/karpet/Dezi 1 https://github.com/marcusramberg/Mojolicious-Plugin-OAuth2 1 https://github.com/atrodo/Net-Dropbear 1 https://github.com/snapappointments/bootstrap-select 1 https://github.com/robrwo/Net-Statsd-Lite 1 https://github.com/perltidy/perltidy 1 https://github.com/clintongormley/perl-html-stripscripts 1 https://github.com/robrwo/Net-Statsd-Tiny 1 https://github.com/mkj/dropbear 1 https://github.com/Perl-Toolchain-Gang/File-Temp 1 https://github.com/kazuho/Starlet 1 https://github.com/perl-catalyst/FCGI 1 https://github.com/harfbuzz/harfbuzz 1 https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP 1 https://github.com/Leont/crypt-argon2 1 https://github.com/jberger/Galileo 1 https://github.com/pjuhasz/JSON-SIMD 1 https://github.com/gray/compress-lz4 1 https://github.com/ycdxsb/WindowsPrivilegeEscalation 1 https://github.com/sgnix/kelp 1 https://github.com/kazeburo/Kossy 1 https://github.com/dsully/perl-crypt-openssl-pkcs12 1 https://github.com/bluefeet/GitLab-API-v4 1 https://github.com/amaltsev/XAO-Web 1 https://github.com/cpan-authors/Text-CSV_XS 1 https://github.com/cpan-authors/XML-LibXML 1 https://github.com/libwww-perl/lwp-protocol-https 1 https://github.com/atoomic/Crypt-Random 1 https://github.com/mtrmac/IPTables-Parse 1 https://github.com/richardc/perl-file-find-rule 1 https://github.com/preaction/Log-Any 1 https://github.com/ytnobody/Otogiri 1 https://github.com/wrog/Net-OpenID-Consumer 1 https://github.com/Perl-Toolchain-Gang/HTTP-Tiny 1 https://github.com/plack/Plack 1 https://github.com/angular/angular.js 1 https://github.com/DCIT/perl-Crypt-JWT 1 https://github.com/perl-Crypt-OpenPGP/Crypt-Random 1 https://github.com/jmcnamara/spreadsheet-parseexcel 1 https://github.com/thaljef/Pinto 1 https://github.com/gbarr/perl-Convert-ASN1 1 https://github.com/Sereal/Sereal 1 https://github.com/robrwo/CatalystX-Statsd 1 https://github.com/dagolden/Capture-Tiny 1 https://github.com/houseabsolute/Data-Validate-IP 1 https://github.com/libwww-perl/HTML-Parser 1 https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd 1 https://github.com/plack/Plack-Middleware-Session 1 https://github.com/perl-net-saml2/perl-XML-Sig 1 https://sourceforge.net/projects/net-snmp 1 https://github.com/hatukanezumi/Unicode-LineBreak 1