When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename.
A file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer.
No analysis available yet.
Vendor Solution
Upgrade to a future ack release.
Vendor Workaround
Pipe ack output through a filter that strips terminal control characters when running ack over untrusted filenames.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 08 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Wed, 08 Jul 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes. When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename. A file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer. | |
| Title | App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes | |
| Weaknesses | CWE-150 | |
| References |
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: CPANSec
Published:
Updated: 2026-07-08T15:22:39.294Z
Reserved: 2026-05-27T17:50:04.538Z
Link: CVE-2026-49147
Updated: 2026-07-08T15:22:31.595Z
No data.
No data.
OpenCVE Enrichment
No data.
-
CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences