Path Rewriting Vulnerability in Plack::Middleware::XSendfile by MIYAGAWA
CVE-2026-7381

Currently unrated

Key Information:

Vendor

Miyagawa

Status
Plack::middleware::xsendfile
Vendor
CVE Published:
29 April 2026

What is CVE-2026-7381?

The Plack::Middleware::XSendfile component in Perl prior to version 1.0053 has a critical vulnerability that enables path rewriting controlled by clients. This occurs through the manipulation of the X-Sendfile-Type header, which can allow a malicious actor to redirect to arbitrary files by leveraging services behind nginx reverse proxies. Although certain mitigations exist, including limitations on regex use in path mapping, the risk presented by this vulnerability should be addressed, given that the middleware is now deprecated and slated for removal in future updates.

Affected Version(s)

Plack::Middleware::XSendfile 0 <= 1.0053

References

https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes
release-notes
https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/l...
technical-description
https://nvd.nist.gov/vuln/detail/CVE-2025-61780
related

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

CPANSec
.