CVE-2026-48962 - Vulnerability Details

Description

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob.

_parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl.

Arbitrary Perl in the output glob executes at the calling process's privilege.

Published: 2026-05-27

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in IO::Compress versions prior to 2.220, where the _parseOutputGlob method wraps an attacker‑controlled output glob string in double quotes and later evaluates it with eval. This quirk allows a crafted glob that contains a literal double quote to terminate the wrapper and inject arbitrary Perl code. The injected code runs with the permissions of the process that invoked IO::Compress, making this an arbitrary code execution flaw (CWE‑95).

Affected Systems

Affected systems are Perl installations using the IO::Compress module from the PMQS vendor, specifically versions earlier than 2.220. The flaw is triggered whenever code calls IO::Compress's compression functions and supplies a glob pattern that can be controlled by an attacker or otherwise derived from user input.

Risk and Exploitability

The flaw carries a high risk due to the absence of effective mitigations beyond the patched module. EPSS data is not available, and the vulnerability is not yet listed in CISA KEV, but the capability to run arbitrary code gives the attacker full control over the host. Likely attack vectors involve a Perl script that processes user input and passes it to IO::Compress; if an attacker can influence the output glob, they can execute any Perl code. The severity can be expected to be high, and the vulnerability is practical for exploitation in environments where untrusted input reaches IO::Compress.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

PMQS

IO::Compress

unaffected

Version	Status	Constraints
`0`	affected	< 2.220

No data.

Vendor Product Confidence Versions

Pmqs

Compress

100%

Version	Status	Scheme	Platform
`[0,2.220)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to IO-Compress 2.220 or later.

OpenCVE Recommended Actions

Upgrade the IO‑Compress module to version 2.220 or later, the version that removes the eval of the output glob.
Audit the code to ensure that no user‑controlled data is passed as the output glob parameter to IO::Compress functions.
Apply input validation or sanitization to any glob strings before they reach IO::Compress, removing or escaping double quotes and other special characters.

Generated by OpenCVE AI on May 27, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00026.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/27/4
https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch
https://metacpan.org/release/PMQS/IO-Compress-2.220/changes

History

Wed, 27 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pmqs Pmqs compress
Vendors & Products		Pmqs Pmqs compress

Wed, 27 May 2026 08:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/27/4

Wed, 27 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.
Title		IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob
Weaknesses		CWE-95
References		https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch https://metacpan.org/release/PMQS/IO-Compress-2.220/changes

Subscriptions

Pmqs Compress

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-05-27T03:12:38.974Z

Updated: 2026-05-27T07:24:58.630Z

Reserved: 2026-05-26T18:09:32.365Z

Link: CVE-2026-48962

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-27T04:16:31.333

Modified: 2026-05-27T08:16:44.170

Link: CVE-2026-48962

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T10:07:56Z

Weaknesses

CWE-95

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object