OS Command Injection and File Overwrite in Config::IniFiles by Perl
CVE-2026-11527

Currently unrated

Key Information:

Vendor

Shlomif

Status
Config::inifiles
Vendor
CVE Published:
14 June 2026

What is CVE-2026-11527?

The Config::IniFiles library for Perl is vulnerable to an OS command injection and file overwrite through its handling of the -file argument in the _make_filehandle method. This vulnerability occurs when an attacker can supply a filename that includes shell meta-characters, allowing arbitrary commands to be executed or files to be truncated. Specifically, input that begins or ends with a pipe or redirect can lead to the execution of unintended commands, thereby compromising the security of the application. It is crucial for users to avoid passing untrusted input to the -file argument and to upgrade to the fixed version 3.001000 or later to mitigate this risk.

Affected Version(s)

Config::IniFiles 0 < 3.001000

References

https://github.com/shlomif/perl-Config-IniFiles/commit/3e...
patch
https://metacpan.org/release/SHLOMIF/Config-IniFiles-3.00...
release-notes

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.