Description
Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle.

Config::IniFiles::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. The helper is the open path behind the documented -file argument: new(-file => $thing) reaches it through ReadConfig. An in-memory scalar reference (-file => \$text) does not open a path and is unaffected.

Any caller that forwards untrusted input to the -file argument can run an arbitrary command or truncate a file under the process UID.
Published: 2026-06-14
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Config::IniFiles pre‑version 3.001000 opens the -file argument using Perl’s 2‑argument open, which interprets filenames that begin or end with a pipe or redirect characters as shell commands or redirections. This flaw allows an attacker who can influence the -file parameter to inject arbitrary operating‑system commands or to overwrite files by redirecting output to a target path. The vulnerability is formally mapped to CWE‑73 (OS Command Injection) and CWE‑78 (Improper Neutralization of Special Elements used in a Command).

Affected Systems

The affected product is the Perl module SHLOMIF::Config::IniFiles, versions prior to 3.001000. Any system that loads or parses INI files with this module and supplies untrusted data to the -file option is at risk. The issue is specific to the module’s internal _make_filehandle routine and does not affect other Perl modules or native binaries.

Risk and Exploitability

The CVSS score is not provided in the CVE data, but the exploitability is clear: an attacker can supply a specially crafted filename and have the target process execute arbitrary commands or truncate arbitrary files under the process UID. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is the configuration parsing path where an untrusted user can supply or influence the -file argument. There are no known mitigations beyond those provided by the vendor, so the risk remains high until fixed.

Generated by OpenCVE AI on June 14, 2026 at 13:20 UTC.

Remediation

Vendor Solution

Upgrade to Config::IniFiles 3.001000 or later, which opens the -file argument with a 3-arg read open so the filename is never interpreted as a command or redirect.

Vendor Workaround

For deployments that cannot upgrade to 3.001000, do not pass untrusted input as the -file argument. Callers can open the file themselves and pass the resulting filehandle, or pass the configuration as an in-memory scalar reference, which bypasses the affected string path.

OpenCVE Recommended Actions

  • Upgrade Config::IniFiles to version 3.001000 or later, which opens the -file argument with a 3‑argument read open, preventing reinterpretation of the filename.
  • If an upgrade is not immediately possible, avoid passing untrusted input directly to the -file option; instead, open the file yourself and pass the resulting filehandle to the configuration loader, or supply the configuration as an in‑memory scalar reference which bypasses the unsafe path logic.
  • Verify that the configuration code uses either a filehandle or scalar reference instead of a raw filename when calling Config::IniFiles::new.

Generated by OpenCVE AI on June 14, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle. Config::IniFiles::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. The helper is the open path behind the documented -file argument: new(-file => $thing) reaches it through ReadConfig. An in-memory scalar reference (-file => \$text) does not open a path and is unaffected. Any caller that forwards untrusted input to the -file argument can run an arbitrary command or truncate a file under the process UID.
Title Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle
Weaknesses CWE-73
CWE-78
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-14T11:40:45.634Z

Reserved: 2026-06-07T19:33:54.590Z

Link: CVE-2026-11527

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-14T12:16:23.357

Modified: 2026-06-14T12:16:23.357

Link: CVE-2026-11527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-14T13:30:07Z

Weaknesses
  • CWE-73

    External Control of File Name or Path

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')