Arbitrary Code Execution in IO::Compress for Perl
CVE-2026-48962

Currently unrated

Key Information:

Vendor

PMQs

Status
Io::compress
Vendor
CVE Published:
27 May 2026

What is CVE-2026-48962?

The IO::Compress module for Perl is vulnerable to arbitrary code execution due to its handling of user-supplied output glob strings. When the _parseOutputGlob() method wraps these strings in double quotes, it can inadvertently allow an attacker to inject Perl code. The vulnerability resides in the way _getFiles() executes the stored expression using eval STRING, which can lead to unintended code execution under the privileges of the calling process. This highlights the importance of validating and sanitizing input to prevent unauthorized actions.

Affected Version(s)

IO::Compress 0 < 2.220

References

https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4c...
patch
https://metacpan.org/release/PMQS/IO-Compress-2.220/changes
release-notes

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.