VYPR
Vendor

Libwww Perl

Products
8
CVEs
11
Across products
12
Status
Private

Products

8

Recent CVEs

11
  • CVE-2026-8450CriMay 27, 2026
    risk 0.52cvss 9.1epss 0.01

    HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path…

  • CVE-2026-8829HigJun 4, 2026
    risk 0.42cvss 7.5epss 0.00

    HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities. The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a…

  • CVE-2026-8368MedMay 12, 2026
    risk 0.35cvss 6.5epss 0.00

    LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and…

  • CVE-2026-8612MedMay 15, 2026
    risk 0.27cvss 5.3epss 0.00

    WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution. With no explicit cache backend, WWW::Mechanize::Cached constructs a default Cache::FileCache under…

  • CVE-2011-3597Jan 13, 2012
    risk 0.04cvss epss 0.14

    Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor.

  • CVE-1999-0267Sep 23, 1997
    risk 0.04cvss epss 0.10

    Buffer overflow in NCSA HTTP daemon v1.3 allows remote command execution.

  • CVE-2022-31081Jun 27, 2022
    risk 0.00cvss epss 0.02

    HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based…

  • CVE-2014-3230Jan 28, 2020
    risk 0.00cvss epss 0.02

    The libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the (1) HTTPS_CA_DIR or (2) HTTPS_CA_FILE environment variable.

  • CVE-2011-0633May 13, 2011
    risk 0.00cvss epss 0.04

    The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote…

  • CVE-2010-2253Jul 6, 2010
    risk 0.00cvss epss 0.03

    lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests…

  • CVE-2002-0703Jul 26, 2002
    risk 0.00cvss epss 0.01

    An interaction between the Perl MD5 module (perl-Digest-MD5) and Perl could produce incorrect MD5 checksums for UTF-8 data, which could prevent a system from properly verifying the integrity of the data.