Description
GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle.

GD::Image::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. _make_filehandle is the single open path behind every filename-accepting constructor (new, newFromPng, newFromJpeg, and the rest); the in-memory *Data variants do not open a path and are unaffected.

Any caller that forwards untrusted input to one of these constructors as a pathname can run an arbitrary command or truncate a file under the process UID.
Published: 2026-06-14
Score: 9.8 Critical
EPSS: 1.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GD::Image::_make_filehandle opens a supplied filename using the insecure two-argument open function, meaning that values beginning with a pipe or ending with a pipe or containing a redirection operator are interpreted as shell commands or redirection directives rather than file paths. An attacker who can supply such a crafted filename can execute arbitrary OS commands or truncate files under the privileges of the running process. This flaw is identified as CWE-73 and CWE-78 and can lead to full system compromise or data loss.

Affected Systems

The vulnerability affects all versions of the RURBAN:GD Perl library older than 2.86. Any constructor that accepts a filename argument—including new, newFromPng, newFromJpeg, and others—uses the flawed _make_filehandle path. In-memory data constructors that do not open a path are immune.

Risk and Exploitability

Based on the description, it is inferred that the likely attack vector is a malicious pathname supplied to GD::Image constructors via web input, file uploads, or API calls. A CVSS score of 9.8 marks the issue as critical, and the EPSS score of 1% indicates a current low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Attackers can exploit the vulnerability with relatively minimal effort by using the inferred attack vector. The damage depends on the host process privileges, potentially allowing remote code execution or destructive file overwrite.

Generated by OpenCVE AI on June 24, 2026 at 12:05 UTC.

Remediation

Vendor Solution

Upgrade to GD 2.86 or later, which opens filename arguments with a 3-arg read open so the filename is never interpreted as a command or redirect.


Vendor Workaround

For deployments that cannot upgrade to 2.86, do not pass untrusted input as a pathname to GD::Image constructors. Callers can open the file themselves and pass the resulting filehandle, which bypasses the affected string path.


OpenCVE Recommended Actions

  • Upgrade the GD Perl library to version 2.86 or greater, which replaces the unsafe two-argument open with a safe three-argument read open.
  • If an upgrade is not possible, avoid passing untrusted pathname strings to GD::Image constructors; instead, open the file yourself and pass the resulting filehandle to the constructor, bypassing the vulnerable logic.
  • Validate all pathname inputs before they reach GD::Image functions, rejecting strings that contain pipes, redirection operators, or otherwise restricting access to a trusted directory structure.
  • Run the application under the lowest privilege account so that any exploitation is limited to the permissions of that user.

Generated by OpenCVE AI on June 24, 2026 at 12:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4638-1 libgd-perl security update
Debian DSA Debian DSA DSA-6345-1 libgd-perl security update
Ubuntu USN Ubuntu USN USN-8484-1 GD.pm vulnerability
History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Rurban
Rurban gd
Vendors & Products Rurban
Rurban gd

Mon, 15 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
References

Sun, 14 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle. GD::Image::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. _make_filehandle is the single open path behind every filename-accepting constructor (new, newFromPng, newFromJpeg, and the rest); the in-memory *Data variants do not open a path and are unaffected. Any caller that forwards untrusted input to one of these constructors as a pathname can run an arbitrary command or truncate a file under the process UID.
Title GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle
Weaknesses CWE-73
CWE-78
References

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-21T13:34:16.065Z

Reserved: 2026-06-07T19:26:46.259Z

Link: CVE-2026-11526

cve-icon Vulnrichment

Updated: 2026-06-21T13:34:16.065Z

cve-icon NVD

Status : Deferred

Published: 2026-06-14T12:16:22.403

Modified: 2026-06-16T15:41:12.897

Link: CVE-2026-11526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:15:05Z

Weaknesses
  • CWE-73

    External Control of File Name or Path

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')