File Reading Vulnerability in App::Ack for Perl by PETDANCE
CVE-2026-49145

7.5HIGH

Key Information:

Vendor

Petdance

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-49145?

App::Ack prior to version 3.10.0 for Perl allows arbitrary file reading through the --files-from option set in a project's .ackrc configuration file. This configuration can lead ack to access files beyond the intended project directory, potentially exposing sensitive information. The vulnerability arises because the project-source option blocklist in App::Ack::ConfigLoader does not restrict the --files-from option, enabling malicious users to point this to arbitrary file paths. It is crucial for developers to ensure their .ackrc files are not contributed to untrusted repositories to prevent exposure of unintended files.

Affected Version(s)

App::Ack 0 <= 3.10.0

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michał Majchrowicz (AFINE)
Marcin Wyczechowski (AFINE)
.