Description
UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library.

UnQLite for Perl embeds the UnQLite library. Version 0.06 and earlier of the Perl module uses a version of the library from 2014 that may be vulnerable to a heap-based overflow.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution via heap overflow
Action: Apply Upgrade
AI Analysis

Impact

UnQLite for Perl embeds the UnQLite database engine. Versions up to and including 0.06 contain an older UnQLite library dated 2014 that was identified as having a heap-based buffer overflow. If an attacker can supply crafted input to the Perl module, the overflow could corrupt memory and potentially allow arbitrary code execution or denial of service. This weakness is categorized as CWE-1395.

Affected Systems

The vulnerability affects the TOKUHIROM UnQLite Perl distribution. Clients using UnQLite for Perl version 0.06 or earlier are exposed. No specific patch version is available for those releases; the module has been deprecated since 0.06 and newer releases (0.07+) embed a fixed library.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, but the EPSS score shows a very low probability of exploitation (<1%). The issue is not currently listed in the CISA KEV catalog. Attackers would need to interact with a Perl application that loads the vulnerable module, but the potential for remote exploitation cannot be ruled out if the application processes untrusted data.

Generated by OpenCVE AI on April 16, 2026 at 12:59 UTC.

Remediation

Vendor Solution

UnQLite for Perl has been deprecated since version 0.06. Migrate to a different solution.

Vendor Workaround

Upgrade to UnQLite for Perl version 0.07 or later.

OpenCVE Recommended Actions

  • Upgrade to UnQLite for Perl version 0.07 or later.
  • Plan and execute migration to an alternative persistence solution that does not rely on the UnQLite library.
  • Limit or sanitize any untrusted input that the Perl application processes until the upgrade or migration is complete.
  • Monitor the application for anomalous memory usage or crashes that could indicate exploitation attempts.

Generated by OpenCVE AI on April 16, 2026 at 12:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:tokuhirom:unqlite:*:*:*:*:*:perl:*:*

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Tokuhirom
Tokuhirom unqlite
Vendors & Products Tokuhirom
Tokuhirom unqlite

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library. UnQLite for Perl embeds the UnQLite library. Version 0.06 and earlier of the Perl module uses a version of the library from 2014 that may be vulnerable to a heap-based overflow.
Title UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library
Weaknesses CWE-1395
References

Subscriptions

Tokuhirom Unqlite
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-03-05T16:34:39.834Z

Reserved: 2026-02-26T12:04:48.010Z

Link: CVE-2026-3257

cve-icon Vulnrichment

Updated: 2026-03-05T16:34:18.464Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T02:16:52.150

Modified: 2026-03-09T14:53:08.840

Link: CVE-2026-3257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:00:11Z

Weaknesses