Terminal Control Sequence Vulnerable in App::Ack by Perl
CVE-2026-49147
7.5HIGH
What is CVE-2026-49147?
App::Ack, a tool for searching through source code, is vulnerable to escaping terminal control sequences in filenames. This issue can result in the printed filenames containing raw terminal control bytes when certain output modes are used, such as --show-types and the -l/-L arguments. These byte sequences can manipulate the terminal display by overwriting previous output or altering the text color. Despite the introduction of a _safe_filename helper in version 3.10.0 to sanitize certain outputs, vulnerabilities remain in specific paths that allow attackers to exploit this weakness.
Affected Version(s)
App::Ack 0 <= 3.10.0
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Michał Majchrowicz (AFINE)
Marcin Wyczechowski (AFINE)
