OS Command Injection Vulnerability in GD Library for Perl
CVE-2026-11526

Currently unrated

Key Information:

Vendor

Rurban

Status
Gd
Vendor
CVE Published:
14 June 2026

What is CVE-2026-11526?

The GD library for Perl, specifically versions prior to 2.86, contains a vulnerability that allows OS command injection and file overwrite. The function GD::Image::_make_filehandle improperly processes filename arguments using Perl's 2-arg open. This means any filename beginning or ending with a pipe or a redirect can execute commands or modify files instead of serving as valid file paths. Due to this flaw, untrusted input to one of the library's constructors can lead to arbitrary command execution or unintended file truncation, posing significant risks to the system.

Affected Version(s)

GD 0 < 2.86

References

https://github.com/lstein/Perl-GD/commit/67b163713c6c78df...
patch
https://metacpan.org/release/RURBAN/GD-2.86/changes
release-notes

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.