OS Command Injection Vulnerability in HTTP::Daemon by Perl
CVE-2026-8450

Currently unrated

Key Information:

Vendor

Oalders

Status
Http::daemon
Vendor
CVE Published:
27 May 2026

What is CVE-2026-8450?

The HTTP::Daemon module for Perl is vulnerable to an OS command injection due to improper handling of untrusted input in the send_file() function. This function opens its arguments with a command line that can lead to execution of arbitrary OS commands at the process UID. Attackers can exploit this flaw by crafting input that executes commands or manipulates files, leading to potential unauthorized access and data leakage through the HTTP response body. Users are strongly advised to upgrade to version 6.17 or later to mitigate this security risk.

Affected Version(s)

HTTP::Daemon 0 < 6.17

References

https://github.com/libwww-perl/HTTP-Daemon/pull/89
issue-tracking
https://github.com/libwww-perl/HTTP-Daemon/commit/945d351...
patch
https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/cha...
release-notes

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.