Code Injection Vulnerability in DBI for Perl by Perl5 DBI
CVE-2026-14380

Currently unrated

Key Information:

Vendor

Hmbrand

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-14380?

DBI versions prior to 1.650 for Perl are susceptible to a code injection risk due to insufficient validation of the Profile attribute. When malicious input is provided through the DBI_PROFILE environment variable, a direct attribute assignment, or a DSN driver-attribute clause (e.g., dbi:Driver(Profile=>SPEC)), an attacker can execute arbitrary Perl code. This vulnerability is particularly dangerous in remote scenarios involving a network-exposed DBI::Gofer or DBI::ProxyServer, where an attacker could run system commands on the host via the untrusted Profile inputs.

Affected Version(s)

DBI 0 < 1.650

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.