Description
IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob.

_parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl.

Arbitrary Perl in the output glob executes at the calling process's privilege.
Published: 2026-05-27
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in IO::Compress versions prior to 2.220, where the _parseOutputGlob method wraps an attacker‑controlled output glob string in double quotes and later evaluates it with eval. This quirk allows a crafted glob that contains a literal double quote to terminate the wrapper and inject arbitrary Perl code. The injected code runs with the permissions of the process that invoked IO::Compress, making this an arbitrary code execution flaw (CWE‑94).

Affected Systems

Affected systems are Perl installations using the IO::Compress module from the PMQS vendor, specifically versions earlier than 2.220. The flaw is triggered whenever code calls IO::Compress's compression functions and supplies a glob pattern that can be controlled by an attacker or otherwise derived from user input.

Risk and Exploitability

The flaw carries a high risk due to the absence of effective mitigations beyond the patched module. The CVSS score of 7.3 indicates a high severity. EPSS score of <1% indicates a very low but non‑zero exploitation probability, and the vulnerability is not yet listed in CISA KEV, but the capability to run arbitrary code gives the attacker full control over the host. Likely attack vectors involve a Perl script that processes user input and passes it to IO::Compress; if an attacker can influence the output glob, they can execute any Perl code. The severity can be expected to be high, and the vulnerability is practical for exploitation in environments where untrusted input reaches IO::Compress.

Generated by OpenCVE AI on May 30, 2026 at 01:21 UTC.

Remediation

Vendor Solution

Upgrade to IO-Compress 2.220 or later.

OpenCVE Recommended Actions

  • Upgrade the IO‑Compress module to version 2.220 or later, the version that removes the eval of the output glob.
  • Audit the code to ensure that no user‑controlled data is passed as the output glob parameter to IO::Compress functions.
  • Apply input validation or sanitization to any glob strings before they reach IO::Compress, removing or escaping double quotes and other special characters.

Generated by OpenCVE AI on May 30, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Pmqs
Pmqs compress
Vendors & Products Pmqs
Pmqs compress

Wed, 27 May 2026 08:30:00 +0000

Type Values Removed Values Added
References

Wed, 27 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.
Title IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob
Weaknesses CWE-95
References

Subscriptions

Pmqs Compress
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-27T16:02:15.210Z

Reserved: 2026-05-26T18:09:32.365Z

Link: CVE-2026-48962

cve-icon Vulnrichment

Updated: 2026-05-27T07:24:58.630Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T04:16:31.333

Modified: 2026-06-17T10:55:25.360

Link: CVE-2026-48962

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T03:12:38Z

Links: CVE-2026-48962 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T01:30:12Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')

  • CWE-95

    Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')