VYPR
Vypr IntelligenceAI-generatedJul 8, 2026· 7 CVEs

Perl Modules: Seven Vulnerabilities Disclosed, Affecting DBI, Crypt::DSA, and More

Seven vulnerabilities impacting various Perl modules were disclosed between July 5-8, 2026, with risks including DoS, code injection, and private key recovery.

Key findings

  • Seven vulnerabilities disclosed across multiple Perl modules including DBI, String::Util, and Mojo::JSON.
  • Issues range from denial-of-service and code injection to heap overflows and private key recovery.
  • DBI module affected by multiple flaws, with fixes in version 1.650.
  • Crypt::DSA vulnerability could lead to private key compromise due to biased random number generation.
  • Users urged to update affected Perl modules to patched versions.

On July 8, 2026, a batch of seven vulnerabilities affecting various Perl modules was disclosed, spanning a three-day window from July 5th to July 8th. These vulnerabilities impact modules such as String::Util, DBI, HTTP::Tiny, Mojo::JSON, and Crypt::DSA, with potential consequences ranging from regular expression denial of service and out-of-bounds reads to heap overflows, code injection, memory exhaustion, and private key recovery. The disclosures highlight ongoing security concerns within the Perl ecosystem.

Several vulnerabilities were found in the DBI module, a database interface for Perl. CVE-2026-14740 and CVE-2026-14739, both fixed in DBI version 1.650, involve an out-of-bounds read when deleting initial SQL comments and a heap overflow when parsing an extreme number of placeholders, respectively. Additionally, CVE-2026-14380, also patched in version 1.650, presents a code injection risk through caller-influenced profile attributes, where unvalidated package names can be evaluated.

Beyond DBI, other modules were also affected. CVE-2026-14895 in String::Util (versions before 1.36) allows for regular expression denial of service due to how its trim and rtrim functions handle trailing whitespace. HTTP::Tiny versions before 0.095 are vulnerable to CVE-2026-7017, which involves forwarding credential headers to cross-origin redirect targets. Mojo::JSON versions prior to 9.47 are susceptible to memory exhaustion (CVE-2026-14803) due to unbounded recursion in its pure-Perl decoder. Finally, CVE-2026-14570 in Crypt::DSA (versions before 1.22) allows for private key recovery due to a biased random generator used for signing nonces and private keys.

The Perl Foundation and its associated module maintainers have addressed these issues, with patches available in updated versions of the affected libraries. Users are strongly advised to update to the latest versions to mitigate these risks. The diverse nature of these vulnerabilities underscores the importance of regular security audits and timely patching across all components of a software supply chain.

This batch of disclosures serves as a reminder for Perl developers to stay vigilant about the security of the modules they depend on. The wide range of issues, from denial-of-service to potential code execution and private key compromise, emphasizes the need for proactive security practices and prompt updates to safeguard applications and data.

CVE-2026-14895 CVE-2026-14740 CVE-2026-14739 CVE-2026-14380 CVE-2026-7017 CVE-2026-14803 CVE-2026-14570

AI-written article. Grounded in 7 CVE records listed below.