Code Injection Vulnerability in DBI for Perl by Perl5 DBI
CVE-2026-14380
Currently unrated
What is CVE-2026-14380?
DBI versions prior to 1.650 for Perl are susceptible to a code injection risk due to insufficient validation of the Profile attribute. When malicious input is provided through the DBI_PROFILE environment variable, a direct attribute assignment, or a DSN driver-attribute clause (e.g., dbi:Driver(Profile=>SPEC)), an attacker can execute arbitrary Perl code. This vulnerability is particularly dangerous in remote scenarios involving a network-exposed DBI::Gofer or DBI::ProxyServer, where an attacker could run system commands on the host via the untrusted Profile inputs.
Affected Version(s)
DBI 0 < 1.650
