Terminal Control Sequence Vulnerable in App::Ack by Perl
CVE-2026-49147

7.5HIGH

Key Information:

Vendor

Petdance

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-49147?

App::Ack, a tool for searching through source code, is vulnerable to escaping terminal control sequences in filenames. This issue can result in the printed filenames containing raw terminal control bytes when certain output modes are used, such as --show-types and the -l/-L arguments. These byte sequences can manipulate the terminal display by overwriting previous output or altering the text color. Despite the introduction of a _safe_filename helper in version 3.10.0 to sanitize certain outputs, vulnerabilities remain in specific paths that allow attackers to exploit this weakness.

Affected Version(s)

App::Ack 0 <= 3.10.0

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michał Majchrowicz (AFINE)
Marcin Wyczechowski (AFINE)
.