Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

cpan

cpan

374 packages · metacpan.org

Security Advisories in cpan

over 7 years ago

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, ... CPANSA-Squatting-2019-5428-jquery

cpan Squatting
Moderate
over 8 years ago

jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after. CPANSA-Squatting-2014-6071-jquery

cpan Squatting
Moderate
about 6 years ago

angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code. CPANSA-Zonemaster-GUI-2020-7676-angular

cpan Zonemaster-GUI
Moderate
almost 8 years ago

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, ... CPANSA-Zonemaster-GUI-2018-14040-bootstrap

cpan Zonemaster-GUI
Moderate
about 6 years ago

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This proble... CPANSA-Zonemaster-GUI-2020-11022-jquery

cpan Zonemaster-GUI
Moderate
about 6 years ago

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may exec... CPANSA-Zonemaster-GUI-2020-11023-jquery

cpan Zonemaster-GUI
High
over 4 years ago

This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file. CPANSA-Yukki-2021-23562-plupload

cpan Yukki
High
over 18 years ago

A tainted cookie could be sent by a malicious user and it would be used in an SQL query without protection against SQL injection. CPANSA-Apache-AuthCAS-2007-01

cpan Apache-AuthCAS
Moderate
about 7 years ago

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the nat... CPANSA-Zonemaster-GUI-2019-11358-jquery

cpan Zonemaster-GUI
Moderate
over 8 years ago

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. CPANSA-Zonemaster-GUI-2015-9251-jquery

cpan Zonemaster-GUI
over 13 years ago

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag. CPANSA-Zonemaster-GUI-2011-4969-jquery

cpan Zonemaster-GUI
Moderate
over 8 years ago

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for... CPANSA-Zonemaster-GUI-2012-6708-jquery

cpan Zonemaster-GUI
Moderate
about 6 years ago

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be e... CPANSA-Zonemaster-GUI-2020-7656-jquery

cpan Zonemaster-GUI
Moderate
over 8 years ago

jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after. CPANSA-Ukigumo-Server-2014-6071-jquery

cpan Ukigumo-Server
over 25 years ago

A security bug allowed people to bypass the AllowDownload setting. CPANSA-Apache-MP3-2001-01

cpan Apache-MP3
about 15 years ago

The path as passed in the fragment request data structure was used verbatim in the dispatcher and other locations. This possibly allowed requests to walk around ACLs by requesting '/some/safe/place/../../../dangerous' as a fragment. CPANSA-Jifty-2011-01

cpan Jifty
over 7 years ago

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, ... CPANSA-Zonemaster-GUI-2019-5428-jquery

cpan Zonemaster-GUI
Moderate
over 8 years ago

jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after. CPANSA-Zonemaster-GUI-2014-6071-jquery

cpan Zonemaster-GUI
almost 3 years ago

When not using signed cookies, it was possible to bypass XSRFBlock by POSTing an empty form value and an empty cookie CPANSA-Plack-Middleware-XSRFBlock-20230714-01

cpan Plack-Middleware-XSRFBlock
about 12 years ago

HTML::EP::Session::Cookie in the HTML::EP module 0.2011 for Perl does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via a crafted request, which is not properly handled when it is deserialized. CPANSA-HTML-EP-2012-6142

cpan HTML-EP
High
almost 10 years ago

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/... CPANSA-Module-Provision-2016-1238

cpan Module-Provision
about 19 years ago

Unspecified vulnerability in apreq_parse_headers and apreq_parse_urlencoded functions in Apache2::Request (Libapreq2) allows remote attackers to cause a denial of service (CPU consumption) via unknown attack vectors that result in quadratic computation... CPANSA-libapreq2-2006-01

cpan libapreq2
about 20 years ago

CGI::Session 4.03-1 allows local users to overwrite arbitrary files via a symlink attack on temporary files used by (1) Driver::File, (2) Driver::db_file, and possibly (3) Driver::sqlite. CPANSA-CGI-Session-2006-1279

cpan CGI-Session
over 10 years ago

Cross-site scripting (XSS) vulnerability in the HTML-Scrubber module before 0.15 for Perl, when the comment feature is enabled, allows remote attackers to inject arbitrary web script or HTML via a crafted comment. CPANSA-HTML-Scrubber-2015-5667

cpan HTML-Scrubber
about 20 years ago

Untrusted search path vulnerability in libgpib-perl 3.2.06-2 in Debian GNU/Linux includes an RPATH value under the /tmp/buildd directory for the LinuxGpib.so module, which might allow local users to gain privileges by installing malicious libraries in ... CPANSA-GPIB-2006-1565

cpan GPIB
about 1 year ago

Mite for Perl before 0.013000 generates code with the current working directory ('.') added to the @INC path similar to CVE-2016-1238. If an attacker can place a malicious file in current working directory, it may be loaded instead of the intended fi... CPANSA-Mite-2025-30672

cpan Mite
over 10 years ago

Does not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory. CPANSA-PathTools-2016-02

cpan PathTools
over 10 years ago

Does not properly preserve the taint attribute of data, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string. CPANSA-PathTools-2016-01

cpan PathTools
about 1 year ago

Data::Entropy for Perl 0.007 and earlier use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. CPANSA-Data-Entropy-2025-1860

cpan Data-Entropy
about 15 years ago

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CPANSA-Mojolicious-2011-1841

cpan Mojolicious
Critical
almost 7 years ago

libpng before 1.6.32 does not properly check the length of chunks against the user limit. CPANSA-Prima-codecs-win32-2017-12652-libpng

cpan Prima-codecs-win32
High
about 7 years ago

Perl Crypt::JWT prior to 0.023 is affected by: Incorrect Access Control. The impact is: allow attackers to bypass authentication by providing a token by crafting with hmac(). The component is: JWT.pm, line 614. The attack vector is: network connectivit... CPANSA-Crypt-JWT-2019-01

cpan Crypt-JWT
about 16 years ago

Multiple cross-site scripting (XSS) vulnerabilities in the administrative user interface in Six Apart Movable Type 5.0 and 5.01 allow remote attackers to inject arbitrary web script or HTML via unknown vectors. CPANSA-MT-2010-1985

cpan MT
almost 17 years ago

Cross-site scripting (XSS) vulnerability in mt-wizard.cgi in Six Apart Movable Type before 4.261 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2009-2480. CPANSA-MT-2009-2492

cpan MT
almost 17 years ago

mt-wizard.cgi in Six Apart Movable Type before 4.261, when global templates are not initialized, allows remote attackers to bypass access restrictions and (1) send e-mail to arbitrary addresses or (2) obtain sensitive information via unspecified vectors. CPANSA-MT-2009-2481

cpan MT
over 17 years ago

Unspecified vulnerability in Movable Type Pro and Community Solution 4.x before 4.24 has unknown impact and attack vectors, possibly related to the password recovery mechanism. CPANSA-MT-2009-0752

cpan MT
about 1 month ago

WebDyne::Session versions through 2.075 for Perl generates the session id insecurely. The session handler generates the session id from an MD5 hash seeded with a call to the built-in rand() function. The rand function is passed a maximum value based o... CPANSA-WebDyne-2026-5084

cpan WebDyne
almost 17 years ago

Off-by-one error in the bzinflate function in Bzip2.xs in the Compress-Raw-Bzip2 module before 2.018 for Perl allows context-dependent attackers to cause a denial of service (application hang or crash) via a crafted bzip2 compressed stream that trigger... CPANSA-Compress-Raw-Bzip2-2009-1884

cpan Compress-Raw-Bzip2
over 2 years ago

The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells. CPANSA-Spreadsheet-ParseXLSX-2024-22368

cpan Spreadsheet-ParseXLSX
over 2 years ago

In default configuration of Spreadsheet::ParseXLSX, whenever we call Spreadsheet::ParseXLSX->new()->parse('user_input_file.xlsx'), we'd be vulnerable for XXE vulnerability if the XLSX file that we are parsing is from user input. CPANSA-Spreadsheet-ParseXLSX-2024-23525

cpan Spreadsheet-ParseXLSX
almost 12 years ago

Outdated LZ4 source code with security issue on 32bit systems. CPANSA-Compress-LZ4-2014-01

cpan Compress-LZ4
High
about 6 years ago

perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input. CPANSA-Convert-ASN1-2013-7488

cpan Convert-ASN1
about 1 month ago

Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked.... CPANSA-Catalyst-Plugin-Statsd-2026-45180

cpan Catalyst-Plugin-Statsd
Critical
over 8 years ago

There is a potential RCE with regards to Storable. We have added session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE. CPANSA-Dancer2-2018-01

cpan Dancer2
about 11 years ago

Use-after-free in the XML-LibXML module through 2.0129 for Perl allows remote attackers to execute arbitrary code by controlling the arguments to a replaceChild call. CPANSA-XML-LibXML-2017-01

cpan XML-LibXML
about 1 month ago

XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end o... CPANSA-XML-LibXML-2026-8177

cpan XML-LibXML
8 months ago

YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure Missing null terminators in token.c leads to but-of-bounds read which allows adjacent variable to be read The i... CPANSA-YAML-Syck-2025-11683

cpan YAML-Syck
3 months ago

YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 ... CPANSA-YAML-Syck-2026-4177

cpan YAML-Syck
Moderate
about 8 years ago

In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name. CPANSA-Win32-File-Summary-2018-01

cpan Win32-File-Summary
Moderate
over 9 years ago

The mxml_write_node function in mxml-file.c in mxml 2.9, 2.7, and possibly earlier allows remote attackers to cause a denial of service (stack consumption) via crafted xml file. CPANSA-Win32-File-Summary-2016-4571-mxml

cpan Win32-File-Summary
over 18 years ago

The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted regul... CPANSA-Tcl-2007-4772-tcl

cpan Tcl
about 9 years ago

Timing sidechannel vulnerability in password checking. CPANSA-RT-Authen-ExternalAuth-2017-01

cpan RT-Authen-ExternalAuth
11 months ago

Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of nu... CPANSA-Plack-Middleware-Session-2025-40923

cpan Plack-Middleware-Session
about 1 month ago

YAML::Syck versions before 1.38 for Perl has an out-of-bounds read. The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separate... CPANSA-YAML-Syck-2026-5089

cpan YAML-Syck
over 15 years ago

Remaining contents of the read buffer could allow plaintext injection attacks wherein attackers could cause nominally SSL-only commands to be executed by appending them to the end of a STARTTLS. CPANSA-Net-Server-Coro-2011-0411

cpan Net-Server-Coro
Moderate
about 6 years ago

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This proble... CPANSA-Yancy-2020-11022-jquery

cpan Yancy
Moderate
about 6 years ago

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may exec... CPANSA-Yancy-2020-11023-jquery

cpan Yancy
Moderate
over 8 years ago

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. CPANSA-Yancy-2015-9251-jquery

cpan Yancy
over 13 years ago

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag. CPANSA-Yancy-2011-4969-jquery

cpan Yancy
Moderate
over 8 years ago

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for... CPANSA-Yancy-2012-6708-jquery

cpan Yancy
Moderate
about 6 years ago

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be e... CPANSA-Yancy-2020-7656-jquery

cpan Yancy
over 8 years ago

Regular Expression Denial of Service. CPANSA-Yancy-X-CVE-2018-vue-001-vue

cpan Yancy
over 22 years ago

Perl 5.8.1 on Fedora Core does not properly initialize the random number generator when forking, which makes it easier for attackers to predict random numbers. CPANSA-perl-2003-0900

cpan perl
5 months ago

Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium libsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277  https://... CPANSA-Crypt-Sodium-XS-2025-15444

cpan Crypt-Sodium-XS
3 months ago

Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows. Combined aead encryption, combined signature creation, and bin2hex functions do not check that output size will be less than SIZE_MAX, which could lead to integer wr... CPANSA-Crypt-Sodium-XS-2026-30910

cpan Crypt-Sodium-XS
Moderate
6 months ago

libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't... CPANSA-Crypt-Sodium-XS-2025-69277-libsodium

cpan Crypt-Sodium-XS
over 13 years ago

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key. CPANSA-App-perlall-2013-1667

cpan App-perlall
about 15 years ago

SQL injection in column names, operators, order and group by. CPANSA-Jifty-DBI-2011-01

cpan Jifty-DBI
about 1 month ago

Imager::File::GIF versions through 1.002 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files. Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer GifRow sized for the GIF's global screen width 'SWidth... CPANSA-Imager-File-GIF-2026-8454

cpan Imager-File-GIF
over 21 years ago

find_link() uses eval(). CPANSA-WWW-Mechanize-2004-01

cpan WWW-Mechanize
almost 14 years ago

Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (process crash) via format string specifiers in (1) a craft... CPANSA-DBD-Pg-2012-1151

cpan DBD-Pg
about 17 years ago

Heap-based buffer overflow in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module 1.49 for Perl might allow context-dependent attackers to execute arbitrary code via unspecified input to an application that uses the getline and pg_getline functions to re... CPANSA-DBD-Pg-2009-0663

cpan DBD-Pg
about 17 years ago

Memory leak in the dequote_bytea function in quote.c in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.0.0 for Perl allows context-dependent attackers to cause a denial of service (memory consumption) by fetching data with BYTEA columns. CPANSA-DBD-Pg-2009-1341

cpan DBD-Pg
about 12 years ago

X-Real-IP, X-Forwarded-Host and X-Remote-User headers were trusted and used in Kelp::Request CPANSA-Kelp-2014-01

cpan Kelp
about 9 years ago

Race condition in the rmtree and remove_tree functions allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. CPANSA-File-Path-2017-01

cpan File-Path
over 17 years ago

Race condition in the rmtree function in File::Path 1.08 (lib/File/Path.pm) in Perl 5.8.8 allows local users to to delete arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this i... CPANSA-File-Path-2008-5303

cpan File-Path
2 months ago

Ado::Sessions versions through 0.935 for Perl generates insecure session ids. The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epo... CPANSA--2026-5083

cpan Ado
Critical
over 6 years ago

In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and cras... CPANSA-Net-Dropbear-2019-17362

cpan Net-Dropbear
11 months ago

Net::Dropbear versions through 0.16 for Perl contains a dependency that may be susceptible to an integer overflow. Net::Dropbear embeds a version of the libtommath library that is susceptible to an integer overflow associated with CVE-2023-36328. CPANSA-Net-Dropbear-2025-40913

cpan Net-Dropbear
about 2 months ago

Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt. Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected ... CPANSA-Net-Dropbear-2025-15638

cpan Net-Dropbear
Moderate
over 8 years ago

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. CPANSA-YATT-Lite-2015-9251-jquery

cpan YATT-Lite
Critical
over 6 years ago

In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and cras... CPANSA-Net-Dropbear-2019-17362-libtomcrypt

cpan Net-Dropbear
High
over 9 years ago

The rsa_verify_hash_ex function in rsa_verify_hash.c in LibTomCrypt, as used in OP-TEE before 2.2.0, does not validate that the message length is equal to the ASN.1 encoded data length, which makes it easier for remote attackers to forge RSA signatures... CPANSA-Net-Dropbear-2016-6129-libtomcrypt

cpan Net-Dropbear
4 months ago

Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems. Sodium.xs casts a STRLEN (size_t) to unsigned long long when passing a length pointer to libsodium functions. On 32-bit systems size_t is typically 32... CPANSA-Crypt-NaCl-Sodium-2026-2588

cpan Crypt-NaCl-Sodium
over 15 years ago

Improper escaping of certain HTML sequences (XSS). CPANSA-MHonArc-2011-01

cpan MHonArc
over 15 years ago

DoS when processing html messages with deep tag nesting. CPANSA-MHonArc-2011-02

cpan MHonArc
2 months ago

Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id. The generate_session_id function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes usi... CPANSA-Amon2-Plugin-Web-CSRFDefender-2026-5082

cpan Amon2-Plugin-Web-CSRFDefender
over 13 years ago

CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm. CPANSA-CGI-2012-5526

cpan CGI
over 15 years ago

The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP hea... CPANSA-CGI-2010-2761

cpan CGI
27 days ago

Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography. CPANSA-Crypt-SaltedHash-2026-47372

cpan Crypt-SaltedHash
27 days ago

Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash. CPANSA-Crypt-SaltedHash-2026-47373

cpan Crypt-SaltedHash
over 12 years ago

XML External Entity (XXE) vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and possibly other products, allows context-dependent attackers to read arbitrary files via a crafted XML file. CPANSA-MARC-File-XML-2014-1626

cpan MARC-File-XML
High
over 4 years ago

Hiredis is a minimalistic C client library for the Redis database. In affected versions Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing `multi-bulk` (array-like) repl... CPANSA-Redis-Fast-2021-32765-hiredis

cpan Redis-Fast
Critical
about 1 year ago

BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. CPANSA-BSON-XS-2025-40906

cpan BSON-XS
Moderate
almost 2 years ago

The bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. This issue affects libbson versio... CPANSA-BSON-XS-2024-6383-libbson

cpan BSON-XS
High
almost 10 years ago

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/... CPANSA-Module-Load-Conditional-2016-1238

cpan Module-Load-Conditional
almost 5 years ago

When running the API behind a reverse proxy on the same machine (like it is using the configuration example provided by the GUI) the remote ip might always be localhost even if the query was done from elsewher CPANSA-Zonemaster-Backend-2021-001

cpan Zonemaster-Backend
over 10 years ago

Multiple integer underflows in PluginPCX.cpp in FreeImage 3.17.0 and earlier allow remote attackers to cause a denial of service (heap memory corruption) via vectors related to the height and width of a window. CPANSA-Win32-Printer-2015-0852-freeimage

cpan Win32-Printer
Moderate
about 8 years ago

ghostscript before version 9.21 is vulnerable to a heap based buffer overflow that was found in the ghostscript jbig2_decode_gray_scale_image function which is used to decode halftone segments in a JBIG2 image. A document (PostScript or PDF) with an em... CPANSA-Win32-Printer-2016-9601-jquery

cpan Win32-Printer
Moderate
about 6 years ago

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be e... CPANSA-Squatting-2020-7656-jquery

cpan Squatting

Filter by Severity

Moderate 210 High 101 Critical 49 Low 6

Filter by Package

perl 45 DBD-SQLite 42 MT 37 Mojolicious 18 Dpkg 14 Yukki 14 MySQL-Admin 13 Kossy 11 Zonemaster-GUI 11 YATT-Lite 10 Ukigumo-Server 10 DBI 10 Yancy 10 SockJS 10 Zabbix-Reporter 10 UR 10 App-Netdisco 10 Plack-Debugger 9 Stardust 9 JS-jQuery 9 Resource-Pack-jQuery 9 Yote 9 Sidef 9 Squatting 9 Imager 7 Net-Dropbear 7 DBD-mysql 7 Archive-Tar 6 Cpanel-JSON-XS 6 CGI 6 File-Path 6 libwww-perl 6 Git-Raw 5 Net-CIDR-Lite 5 Win32-File-Summary 5 IO-Compress 5 CryptX 5 ActivePerl 5 Sereal-Decoder 5 YAML-LibYAML 4 Compress-Raw-Zlib 4 Jifty 4 Archive-Unzip-Burst 4 Lemonldap-NG-Portal 4 Net-CIDR-Set 4 Plack 4 CGI-Simple 4 HTTP-Tiny 4 Sereal-Encoder 4 Tk 4 Alien-SVN 4 Git-XS 4 Encode 3 YAML-Syck 3 Apache-Session 3 Net-SNMP 3 XML-LibXML 3 Crypt-CBC 3 Safe 3 Crypt-Sodium-XS 3 Lemonldap-NG-Handler 3 Config-Model 3 mod_perl 3 DBD-Pg 3 SOAP-Lite 3 Dancer 3 DBD-MariaDB 3 Plack-Middleware-Session 3 UI-Dialog 3 Image-ExifTool 3 Lemonldap-NG-Common 3 Crypt-DSA 3 Net-DNS 3 CPAN 3 GBrowse 3 Lemonldap-NG-Manager 3 Perl6-Pugs 3 HTML-Parser 2 HTTP-Session2 2 Boost-Graph 2 Zonemaster-Backend 2 DBIx-Class-EncodedColumn 2 XML-Parser 2 Crypt-OpenSSL-PKCS12 2 Email-Address 2 Mozilla-CA 2 FCGI 2 cppAdaptive1 2 Catalyst-Runtime 2 Perl-Tidy 2 BSON-XS 2 Compress-Raw-Bzip2 2 PathTools 2 Alien-FreeImage 2 HarfBuzz-Shaper 2 MHonArc 2 Spreadsheet-ParseXLSX 2 Digest 2 Archive-Zip 2 Crypt-SaltedHash 2 Apache-Session-Browseable 2 YAML 2 Crypt-Random 2 EasyTCP 2 Locale-Maketext 2 Storable 2 Tcl 2 App-cpanminus 2 Win32-Printer 2 App-revealup 2 POSIX-2008 2 Net-OpenID-Consumer 2 Crypt-NaCl-Sodium 2 IO-Socket-SSL 2 Net-Statsd-Lite 2 HTTP-Daemon 2 cppAdaptive2 2 CGI-Session 2 PAR 2 Crypt-Perl 2 DataDog-DogStatsd 2 Plack-Middleware-Statsd 2 Module-Metadata 1 CBOR-XS 1 Catalyst-Action-REST 1 Crypt-ScryptKDF 1 Amon2-Auth-Site-LINE 1 XML-Atom 1 Net-Xero 1 JavaScript-Duktape 1 IPC-Run 1 CPAN-Checksums 1 JSON-XS 1 Unicode-LineBreak 1 Starman 1 CGI-Application-Plugin-AutoRunmode 1 WWW-UsePerl-Server 1 Apache-Wyrd 1 Net-IP-LPM 1 Net-IPv4Addr 1 Imager-File-GIF 1 Plack-Middleware-XSRFBlock 1 Gazelle 1 Amon2 1 Amon2-Plugin-Web-CSRFDefender 1 RPC-XML 1 eperl 1 Crypt-RandomEncryption 1 Mojo-DOM-Role-Analyzer 1 Mail-Audit 1 Graphics-ColorNames 1 Dancer2 1 Catalyst-Controller-Combine 1 PAR-Packer 1 Devel-StackTrace 1 ExtUtils-MakeMaker 1 Sub-HandlesVia 1 Crypt-SysRandom-XS 1 SVG-Sparkline 1 Apache2-API 1 App-Github-Email 1 XML-Simple 1 Cmd-Dwarf 1 Protocol-HTTP2 1 Search-OpenSearch-Server 1 WWW-Mechanize-Cached 1 Image-Info 1 MARC-File-XML 1 Term-ReadLine-Gnu 1 Otogiri 1 File-Temp 1 Pinto 1 LWP-Protocol-Net-Curl 1 Crypt-Primes 1 String-Compare-ConstantTime 1 Catalyst-Plugin-Session 1 Crypt-OpenSSL-RSA 1 Alien-PCRE2 1 Data-FormValidator 1 Clipboard 1 XML-Twig 1 Text-CSV_XS 1 Redis-Fast 1 Crypt-OpenSSL-DSA 1 Authen-SASL 1 Catalyst-Plugin-Authentication 1 Apache-AuthCAS 1 perl-ldap 1 Apache-SessionX 1 Amazon-Credentials 1 Crypt-PasswdMD5 1 Mojolicious-Plugin-OAuth2 1 Filesys-SmbClientParser 1 WWW-Mechanize 1 Template-Toolkit 1 Web-Passwd 1 PApp 1 CGI-Application-Dispatch 1 Crypt-Random-Source 1 Apache2-AuthAny 1

Filter by Repository

https://github.com/jquery/jquery 108 https://github.com/Perl/perl5 22 https://github.com/sqlite/sqlite 15 https://github.com/mojolicious/mojo 12 https://github.com/twbs/bootstrap 9 https://github.com/perl5-dbi/DBD-mysql 7 https://github.com/rurban/Cpanel-JSON-XS 6 https://github.com/briandfoy/cpan-security-advisory 6 https://github.com/glennrp/libpng 6 https://sourceforge.net/projects/sourceforge.net 6 https://github.com/madler/zlib 6 https://github.com/stigtsp/Net-CIDR-Lite 5 https://github.com/jib/archive-tar-new 5 https://github.com/perl5-dbi/dbi 5 https://github.com/pmqs/IO-Compress 4 https://github.com/facebook/zstd 4 https://github.com/kmx/alien-freeimage 3 https://github.com/cpan-authors/YAML-Syck 3 https://github.com/tonycoz/imager 3 https://github.com/DCIT/perl-CryptX 3 https://github.com/dod38fr/config-model 3 https://github.com/redis/hiredis 3 https://github.com/jquery/jquery-ui 3 https://github.com/libgit2/security 3 https://github.com/libtom/libtomcrypt 3 https://github.com/PerlDancer/Dancer 2 https://github.com/LemonLDAPNG/Apache-Session-Browseable 2 https://github.com/zonemaster/zonemaster-backend 2 https://github.com/ingydotnet/yaml-libyaml-pm 2 https://github.com/miyagawa/cpanminus 2 https://github.com/libwww-perl/HTTP-Daemon 2 https://github.com/svaarala/duktape 2 https://github.com/chartjs/Chart.js 2 https://github.com/robrwo/Plack-Middleware-Statsd 2 https://github.com/libwww-perl/libwww-perl 2 https://github.com/ingydotnet/yaml-pm 2 https://github.com/FGasper/p5-Crypt-Perl 2 https://github.com/cpan-authors/XML-Parser 2 https://github.com/chansen/p5-http-tiny 2 https://github.com/robrwo/perl-Crypt-SaltedHash 2 https://github.com/andk/cpanpm 2 https://github.com/cpan-authors/crypt-nacl-sodium 2 https://github.com/richgel999/miniz 2 https://github.com/tokuhirom/HTTP-Session2 2 https://github.com/hashcat/hashcat 2 https://github.com/AndyA/CGI--Simple 2 https://github.com/libtom/libtommath 2 https://github.com/mitmproxy/pdoc 2 https://github.com/jedisct1/libsodium 2 https://github.com/exiftool/exiftool 2 https://github.com/blog/1938-git-client-vulnerability-announced 2 https://github.com/hatukanezumi/Unicode-LineBreak 1 https://github.com/gitpan/PerlSpeak 1 https://github.com/perl-net-saml2/perl-XML-Sig 1 https://sourceforge.net/projects/net-snmp 1 https://github.com/perl-catalyst/Catalyst-Plugin-Authentication 1 https://github.com/plack/Plack-Middleware-Session 1 https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd 1 https://github.com/cosimo/perl5-net-statsd 1 https://github.com/josdejong/jsoneditor 1 https://github.com/libwww-perl/HTML-Parser 1 https://github.com/houseabsolute/Data-Validate-IP 1 https://github.com/dagolden/Capture-Tiny 1 https://github.com/dajobe/raptor 1 https://github.com/toddr/Crypt-OpenSSL-RSA 1 https://github.com/robrwo/CatalystX-Statsd 1 https://github.com/redhotpenguin/perl-soaplite 1 https://github.com/miyagawa/Starman 1 https://github.com/dankogai/p5-encode 1 https://github.com/wrog/Net-OpenID-Consumer 1 https://github.com/ytnobody/Otogiri 1 https://github.com/cromedome/cgi-application-plugin-captcha 1 https://github.com/preaction/Log-Any 1 https://github.com/richardc/perl-file-find-rule 1 https://github.com/mtrmac/IPTables-Parse 1 https://github.com/hakimel/reveal.js 1 https://github.com/atoomic/Crypt-Random 1 https://github.com/libwww-perl/lwp-protocol-https 1 https://github.com/cpan-authors/XML-LibXML 1 https://github.com/cpan-authors/Text-CSV_XS 1 https://github.com/amaltsev/XAO-Web 1 https://github.com/xsawyerx/app-genpass 1 https://github.com/bluefeet/GitLab-API-v4 1 https://github.com/gbarr/perl-authen-sasl 1 https://github.com/FastCGI-Archives/fcgi2 1 https://github.com/LemonLDAPNG/Apache-Session-LDAP 1 https://github.com/rjbs/Email-MIME 1 https://github.com/dsully/perl-crypt-openssl-pkcs12 1 https://github.com/zhuowei/worthdoingbadly.com 1 https://github.com/kazeburo/Kossy 1 https://github.com/sgnix/kelp 1 https://github.com/certifi/python-certifi 1 https://github.com/kberov/Ado 1 https://github.com/ycdxsb/WindowsPrivilegeEscalation 1 https://github.com/gray/compress-lz4 1 https://github.com/kraih/mojo 1 https://github.com/redhotpenguin/perl-Archive-Zip 1 https://github.com/perl-catalyst/FCGI 1 https://github.com/svarshavchik/Net-CIDR 1 https://github.com/Perl-Toolchain-Gang/ExtUtils-MakeMaker 1 https://github.com/harfbuzz/harfbuzz 1 https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP 1 https://github.com/Leont/crypt-argon2 1 https://github.com/jberger/Galileo 1 https://github.com/pjuhasz/JSON-SIMD 1 https://github.com/faraco/App-Github-Email 1 https://github.com/plack/Plack 1 https://github.com/moment/moment 1 https://github.com/moxiecode/plupload 1 https://github.com/jkeenan/File-Path 1 https://github.com/abw/Template2 1 https://github.com/marcusramberg/Mojolicious-Plugin-OAuth2 1 https://github.com/atrodo/Net-Dropbear 1 https://github.com/Perl-Toolchain-Gang/HTTP-Tiny 1 https://github.com/snapappointments/bootstrap-select 1 https://github.com/robrwo/Net-Statsd-Lite 1 https://github.com/perltidy/perltidy 1 https://github.com/robrwo/Text-Minify-XS 1 https://github.com/markstos/CGI.pm 1 https://github.com/perl-catalyst/Catalyst-Plugin-Session 1 https://github.com/rjbs/Email-Address 1 https://github.com/clintongormley/perl-html-stripscripts 1 https://github.com/robrwo/Net-Statsd-Tiny 1 https://github.com/mkj/dropbear 1 https://github.com/Perl-Toolchain-Gang/File-Temp 1 https://github.com/Dual-Life/Devel-PPPort 1 https://github.com/kazuho/Starlet 1 https://bitbucket.org/shlomif/perl-config-inifiles 1 https://bitbucket.org/xi/libyaml 1 https://github.com/bwva/Concierge-Sessions 1 https://github.com/google/brotli 1 https://github.com/haile01/perl_spreadsheet_excel_rce_poc 1 https://github.com/karpet/Dezi 1 https://github.com/bluefeet/Starch 1 https://github.com/gisle/html-parser 1 https://github.com/angular/angular.js 1 https://github.com/DCIT/perl-Crypt-JWT 1 https://github.com/jmcnamara/spreadsheet-parseexcel 1 https://github.com/perl-Crypt-OpenPGP/Crypt-Random 1 https://github.com/thaljef/Pinto 1 https://github.com/karenetheridge/Crypt-Random-Source 1 https://github.com/tchatzi/Authen-TOTP 1 https://github.com/gbarr/perl-Convert-ASN1 1 https://github.com/Sereal/Sereal 1 https://github.com/seagirl/dwarf 1 https://github.com/creaktive/LWP-Protocol-Net-Curl 1 https://github.com/yuki-kimoto/DBIx-Custom 1 https://github.com/robrwo/perl-Net-CIDR-Set 1 https://github.com/markstos/CGI--Application 1 https://github.com/mojomojo/mojomojo 1 https://github.com/tokuhirom/Amon 1 https://github.com/libwww-perl/WWW-Mechanize-Cached 1 https://github.com/lstein/Lib-Crypt-CBC 1 https://github.com/rschupp/Module-ScanDeps 1 https://github.com/PerlDancer/Dancer2 1 https://github.com/grantm/xml-simple 1 https://github.com/kazeburo/Plack-Middleware-Session-Simple 1 https://github.com/karpet/search-opensearch-server 1 https://github.com/gwadej/svg-sparkline 1 https://github.com/gnustavo/SVN-Look 1 https://github.com/atoomic/Crypt-Primes 1