VYPR

Vendor CVEs

Perl Foundation

All CVEs

128 total · sorted by risk
  • CVE-2005-1349May 2, 2005
    risk 0.04cvss epss 0.13

    Buffer overflow in Convert-UUlib (Convert::UUlib) before 1.051 allows remote attackers to execute arbitrary code via a malformed parameter to a read operation.

  • CVE-2004-1096Jan 10, 2005
    risk 0.04cvss epss 0.17

    Archive::Zip Perl module before 1.14, when used by antivirus programs such as amavisd-new, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on…

  • CVE-2010-4777Feb 10, 2014
    risk 0.03cvss epss 0.06

    The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly…

  • CVE-2008-2827Jun 23, 2008
    risk 0.03cvss epss 0.01

    The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly check permissions before performing a chmod, which allows local users to modify the permissions of arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448 and CVE-2004-0452.

  • CVE-2005-0155May 2, 2005
    risk 0.03cvss epss 0.01

    The PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to create arbitrary files via the PERLIO_DEBUG variable.

  • CVE-2005-0156Feb 7, 2005
    risk 0.03cvss epss 0.01

    Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree.

  • CVE-2000-0703Oct 20, 2000
    risk 0.03cvss epss 0.01

    suidperl (aka sperl) does not properly cleanse the escape sequence "~!" before calling /bin/mail to send an error report, which allows local users to gain privileges by setting the "interactive" environmental variable and calling suidperl with a filename that contains the escape…

  • CVE-1999-0034May 29, 1997
    risk 0.03cvss epss 0.01

    Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.

  • CVE-2022-48522Aug 22, 2023
    risk 0.01cvss epss 0.02

    In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.

  • CVE-2020-10543Jun 5, 2020
    risk 0.01cvss epss 0.11

    Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

  • CVE-2018-18313Dec 7, 2018
    risk 0.01cvss epss 0.09

    Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

  • CVE-2018-18311Dec 7, 2018
    risk 0.01cvss epss 0.12

    Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

  • CVE-2018-18312Dec 5, 2018
    risk 0.01cvss epss 0.12

    Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

  • CVE-2012-6329Jan 4, 2013
    risk 0.01cvss epss 0.62

    The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands…

  • CVE-2004-0377May 4, 2004
    risk 0.01cvss epss 0.07

    Buffer overflow in the win32_stat function for (1) ActiveState's ActivePerl and (2) Larry Wall's Perl before 5.8.3 allows local or remote attackers to execute arbitrary commands via filenames that end in a backslash character.

  • CVE-2026-56018Jun 30, 2026
    risk 0.00cvss epss

    JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth. In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents;…

  • CVE-2026-13593Jun 30, 2026
    risk 0.00cvss epss

    CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away. The minify function has a memory leak when processing a document containing only characters to be removed, such as comments and whitespace.

  • CVE-2026-11625Jun 27, 2026
    risk 0.00cvss epss 0.00

    Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes. When an object is initialised before forking, or when the functional interface is used, then the internal state for the PRNG is shared across processes and identical random…

  • CVE-2026-2474Feb 16, 2026
    risk 0.00cvss epss 0.00

    Crypt::URandom versions from 0.41 before 0.55 for Perl is vulnerable to a heap buffer overflow in the XS function crypt_urandom_getrandom(). The function does not validate that the length parameter is non-negative. If a negative value (e.g. -1) is supplied, the expression…

  • CVE-2024-56406Apr 13, 2025
    risk 0.00cvss epss 0.00

    A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can…

  • CVE-2025-1828Mar 10, 2025
    risk 0.00cvss epss 0.00

    Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions. If the Provider is not specified and /dev/urandom or an Entropy Gathering Daemon (egd) service is not available Crypt::Random will…

  • CVE-2024-45321Aug 27, 2024
    risk 0.00cvss epss 0.01

    The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers.

  • CVE-2023-47039Jan 2, 2024
    risk 0.00cvss epss 0.00

    A vulnerability was found in Perl. This security issue occurs while Perl for Windows relies on the system path environment variable to find the shell (`cmd.exe`). When running an executable that uses the Windows Perl interpreter, Perl attempts to find and execute `cmd.exe`…

  • CVE-2023-47038Dec 18, 2023
    risk 0.00cvss epss 0.01

    A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.

  • CVE-2021-36770Aug 11, 2021
    risk 0.00cvss epss 0.01

    Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021…

  • CVE-2021-29424Mar 29, 2021
    risk 0.00cvss epss 0.02

    The Net::Netmask module before 2.0000 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.

  • CVE-2019-20919Sep 17, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference.

  • CVE-2014-10402Sep 16, 2020
    risk 0.00cvss epss 0.00

    An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of an incomplete fix for CVE-2014-10401.

  • CVE-2020-14393Sep 16, 2020
    risk 0.00cvss epss 0.01

    A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.

  • CVE-2020-14392Sep 16, 2020
    risk 0.00cvss epss 0.01

    An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability.

  • CVE-2014-10401Sep 11, 2020
    risk 0.00cvss epss 0.00

    An issue was discovered in the DBI module before 1.632 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute.

  • CVE-2013-7490Sep 11, 2020
    risk 0.00cvss epss 0.03

    An issue was discovered in the DBI module before 1.632 for Perl. Using many arguments to methods for Callbacks may lead to memory corruption.

  • CVE-2013-7491Sep 11, 2020
    risk 0.00cvss epss 0.03

    An issue was discovered in the DBI module before 1.628 for Perl. Stack corruption occurs when a user-defined function requires a non-trivial amount of memory and the Perl stack gets reallocated.

  • CVE-2020-12723Jun 5, 2020
    risk 0.00cvss epss 0.06

    regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

  • CVE-2020-10878Jun 5, 2020
    risk 0.00cvss epss 0.05

    Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

  • CVE-2011-4117Jan 31, 2020
    risk 0.00cvss epss 0.01

    The Batch::BatchRun module 1.03 for Perl does not properly handle temporary files.

  • CVE-2011-1933Nov 26, 2019
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in Jifty::DBI before 0.68.

  • CVE-2018-18314Dec 7, 2018
    risk 0.00cvss epss 0.06

    Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

  • CVE-2015-7686Oct 6, 2015
    risk 0.00cvss epss 0.03

    Algorithmic complexity vulnerability in Address.pm in the Email-Address module 1.908 and earlier for Perl allows remote attackers to cause a denial of service (CPU consumption) via a crafted string containing a list of e-mail addresses in conjunction with parenthesis characters…

  • CVE-2013-7422Aug 16, 2015
    risk 0.00cvss epss 0.03

    Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid…

  • CVE-2015-3408May 19, 2015
    risk 0.00cvss epss 0.06

    Module::Signature before 0.74 allows remote attackers to execute arbitrary shell commands via a crafted SIGNATURE file which is not properly handled when generating checksums from a signed manifest.

  • CVE-2013-7329Oct 6, 2014
    risk 0.00cvss epss 0.02

    The CGI::Application module before 4.50_50 and 4.50_51 for Perl, when run modes are not specified, allows remote attackers to obtain sensitive information (web queries and environment details) via vectors related to the dump_html function.

  • CVE-2014-4330Sep 30, 2014
    risk 0.00cvss epss 0.01

    The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive…

  • CVE-2012-6143Jun 4, 2014
    risk 0.00cvss epss 0.03

    Spoon::Cookie in the Spoon module 0.24 for Perl does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via a crafted request, which is not properly handled when it is deserialized.

  • CVE-2013-7135Jan 28, 2014
    risk 0.00cvss epss 0.00

    The Proc::Daemon module 0.14 for Perl uses world-writable permissions for a file that stores a process ID, which allows local users to have an unspecified impact by modifying this file.

  • CVE-2013-1667Mar 14, 2013
    risk 0.00cvss epss 0.04

    The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

  • CVE-2011-2728Dec 21, 2012
    risk 0.00cvss epss 0.01

    The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.

  • CVE-2012-5195Dec 18, 2012
    risk 0.00cvss epss 0.05

    Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via…

  • CVE-2012-5526Nov 21, 2012
    risk 0.00cvss epss 0.03

    CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm.

  • CVE-2012-1152Sep 9, 2012
    risk 0.00cvss epss 0.02

    Multiple format string vulnerabilities in the error reporting functionality in the YAML::LibYAML (aka YAML-LibYAML and perl-YAML-LibYAML) module 0.38 for Perl allow remote attackers to cause a denial of service (process crash) via format string specifiers in a (1) YAML stream to…