Perl Foundation
The Perl and Raku Foundation (TPRF), also known as Yet Another Society, is a non-profit, 501(c)(3) organization based in Holland, Michigan. It is dedicated to the advancement of the Perl and Raku programming languages through open discussion, collaboration, design, and code. The Perl Foundation fulfills a range of activities which includes, "the collection and distribution of development grants, sponsorship and organization of community-led local and international Perl conferences, and support for community web sites and user groups."
Products
64- 53 CVEs
- 11 CVEs
- 6 CVEs
- 3 CVEs
- 3 CVEs
- 3 CVEs
- 3 CVEs
- 3 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- View all 64 products →
Recent CVEs
128| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-6913 | Cri | 0.65 | 9.8 | 0.11 | Apr 17, 2018 | Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count. | ||
| CVE-2024-55564 | Cri | 0.64 | 9.8 | 0.00 | Dec 9, 2024 | The POSIX::2008 package before 0.24 for Perl has a potential _execve50c env buffer overflow. | ||
| CVE-2018-6797 | Cri | 0.64 | 9.8 | 0.07 | Apr 17, 2018 | An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written. | ||
| CVE-2008-7319 | Cri | 0.64 | 9.8 | 0.06 | Nov 7, 2017 | The Net::Ping::External extension through 0.15 for Perl does not properly sanitize arguments (e.g., invalid hostnames) containing shell metacharacters before use of backticks in External.pm, allowing for shell command injection and arbitrary command execution if untrusted input… | ||
| CVE-2017-12814 | Cri | 0.64 | 9.8 | 0.07 | Sep 28, 2017 | Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable. | ||
| CVE-2017-10788 | Cri | 0.64 | 9.8 | 0.05 | Jul 1, 2017 | The DBD::mysql module through 4.043 for Perl allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by triggering (1) certain error responses from a MySQL server or (2) a loss of a network connection… | ||
| CVE-2017-10672 | Cri | 0.64 | 9.8 | 0.08 | Jun 29, 2017 | Use-after-free in the XML-LibXML module through 2.0129 for Perl allows remote attackers to execute arbitrary code by controlling the arguments to a replaceChild call. | ||
| CVE-2015-8608 | Cri | 0.64 | 9.8 | 0.05 | Feb 7, 2017 | The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument. | ||
| CVE-2017-12883 | Cri | 0.60 | 9.1 | 0.06 | Sep 19, 2017 | Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid… | ||
| CVE-2026-50638 | Cri | 0.59 | 9.1 | 0.00 | Jun 10, 2026 | Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends… | ||
| CVE-2021-47155 | Cri | 0.59 | 9.1 | 0.01 | Mar 18, 2024 | The Net::IPV4Addr module 0.10 for Perl does not properly consider extraneous zero characters in an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses. | ||
| CVE-2016-9180 | Cri | 0.59 | 9.1 | 0.04 | Dec 22, 2016 | perl-XML-Twig: The option to `expand_external_ents`, documented as controlling external entity expansion in XML::Twig does not work. External entities are always expanded, regardless of the option's setting. | ||
| CVE-2026-9698 | Cri | 0.57 | 9.8 | 0.00 | Jun 9, 2026 | DBI versions before 1.648 for Perl saved errors in a limited-sized buffer. Error messages that were returned when RaiseError, PrintError or HandleError were set were written to a 200-byte buffer without a length limit. Attackers that can influence the error text in an… | ||
| CVE-2026-10879 | Cri | 0.57 | 9.8 | 0.00 | Jun 5, 2026 | DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. … | ||
| CVE-2026-8376 | Cri | 0.57 | 9.8 | 0.00 | May 26, 2026 | Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified… | ||
| CVE-2026-4176 | Cri | 0.57 | 9.8 | 0.01 | Mar 29, 2026 | Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a… | ||
| CVE-2015-8949 | Cri | 0.57 | 9.8 | 0.04 | Aug 19, 2016 | Use-after-free vulnerability in the my_login function in DBD::mysql before 4.033_01 allows attackers to have unspecified impact by leveraging a call to mysql_errno after a failure of my_login. | ||
| CVE-2014-9906 | Cri | 0.57 | 9.8 | 0.06 | Aug 19, 2016 | Use-after-free vulnerability in DBD::mysql before 4.029 allows attackers to cause a denial of service (program crash) or possibly execute arbitrary code via vectors related to a lost server connection. | ||
| CVE-2026-12087 | Cri | 0.52 | 9.1 | 0.00 | Jun 15, 2026 | Socket versions before 2.041 for Perl have an out-of-bounds heap read. In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both… | ||
| CVE-2016-6185 | Hig | 0.51 | 7.8 | 0.01 | Aug 2, 2016 | The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory. |
- risk 0.65cvss 9.8epss 0.11
Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.
- risk 0.64cvss 9.8epss 0.00
The POSIX::2008 package before 0.24 for Perl has a potential _execve50c env buffer overflow.
- risk 0.64cvss 9.8epss 0.07
An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.
- risk 0.64cvss 9.8epss 0.06
The Net::Ping::External extension through 0.15 for Perl does not properly sanitize arguments (e.g., invalid hostnames) containing shell metacharacters before use of backticks in External.pm, allowing for shell command injection and arbitrary command execution if untrusted input…
- risk 0.64cvss 9.8epss 0.07
Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.
- risk 0.64cvss 9.8epss 0.05
The DBD::mysql module through 4.043 for Perl allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by triggering (1) certain error responses from a MySQL server or (2) a loss of a network connection…
- risk 0.64cvss 9.8epss 0.08
Use-after-free in the XML-LibXML module through 2.0129 for Perl allows remote attackers to execute arbitrary code by controlling the arguments to a replaceChild call.
- risk 0.64cvss 9.8epss 0.05
The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.
- risk 0.60cvss 9.1epss 0.06
Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid…
- risk 0.59cvss 9.1epss 0.00
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends…
- risk 0.59cvss 9.1epss 0.01
The Net::IPV4Addr module 0.10 for Perl does not properly consider extraneous zero characters in an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.
- risk 0.59cvss 9.1epss 0.04
perl-XML-Twig: The option to `expand_external_ents`, documented as controlling external entity expansion in XML::Twig does not work. External entities are always expanded, regardless of the option's setting.
- risk 0.57cvss 9.8epss 0.00
DBI versions before 1.648 for Perl saved errors in a limited-sized buffer. Error messages that were returned when RaiseError, PrintError or HandleError were set were written to a 200-byte buffer without a length limit. Attackers that can influence the error text in an…
- risk 0.57cvss 9.8epss 0.00
DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. …
- risk 0.57cvss 9.8epss 0.00
Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified…
- risk 0.57cvss 9.8epss 0.01
Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a…
- risk 0.57cvss 9.8epss 0.04
Use-after-free vulnerability in the my_login function in DBD::mysql before 4.033_01 allows attackers to have unspecified impact by leveraging a call to mysql_errno after a failure of my_login.
- risk 0.57cvss 9.8epss 0.06
Use-after-free vulnerability in DBD::mysql before 4.029 allows attackers to cause a denial of service (program crash) or possibly execute arbitrary code via vectors related to a lost server connection.
- risk 0.52cvss 9.1epss 0.00
Socket versions before 2.041 for Perl have an out-of-bounds heap read. In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both…
- risk 0.51cvss 7.8epss 0.01
The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.