CVE-2026-8450 - Vulnerability Details

Description

HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().

send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.

Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.

Published: 2026-05-27

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

OS command injection is possible in HTTP::Daemon versions before 6.17 when the send_file() function receives untrusted input. The function opens the supplied string with Perl’s 2‑argument open, which interprets magic prefixes that create pipes to a subprocess. As a result, a remote attacker can execute arbitrary operating‑system commands under the uid of the HTTP daemon process, and if the read‑pipe form is used, the subprocess’s stdout is sent back to the HTTP client. The write‑mode forms can also create or truncate files at attacker‑chosen paths, enabling further compromise or persistence.

Affected Systems

OALDERS’ HTTP::Daemon module, any installation of HTTP::Daemon 6.16 or earlier, is affected. Upgrading to version 6.17 or later resolves the flaw.

Risk and Exploitability

Although the CVSS score is not provided and EPSS data is unavailable, the vulnerability’s impact is severe due to its ability to execute arbitrary commands and modify filesystem state. The flaw can be exploited remotely by sending a crafted HTTP request that triggers send_file() with malicious input. Because the flaw is tied to the daemon’s privilege level, running the service as root could lead to a full system compromise. The vulnerability is not yet listed in CISA’s KEV catalog, but the nature of OS command injection warrants immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OALDERS

HTTP::Daemon

unaffected

Version	Status	Constraints
`0`	affected	< 6.17

No data.

Vendor Product Confidence Versions

Oalders

Http::daemon

100%

Version	Status	Scheme	Platform
`[0,6.17)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to HTTP-Daemon 6.17 or later.

OpenCVE Recommended Actions

Upgrade the HTTP::Daemon module to version 6.17 or later.
If an immediate upgrade is not possible, apply the patch from commit 945d3514, which corrects the send_file() handling.
Restrict the file paths passed to send_file() to a trusted whitelist or disable the function entirely in environments that handle untrusted input.
Run the HTTP::Daemon process under a non‑privileged user account to reduce the damage potential of any successful exploit.

Generated by OpenCVE AI on May 27, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00139.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/27/5
https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch
https://github.com/libwww-perl/HTTP-Daemon/pull/89
https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes

History

Wed, 27 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Oalders Oalders http::daemon
Vendors & Products		Oalders Oalders http::daemon

Wed, 27 May 2026 08:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/27/5

Wed, 27 May 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '\| cmd' and 'cmd \|' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append. Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd \|') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.
Title		HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file()
Weaknesses		CWE-73 CWE-78
References		https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch https://github.com/libwww-perl/HTTP-Daemon/pull/89 https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes

Subscriptions

Oalders Http::daemon

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-05-27T04:22:26.539Z

Updated: 2026-05-27T07:24:59.662Z

Reserved: 2026-05-12T21:26:04.212Z

Link: CVE-2026-8450

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-27T05:16:23.067

Modified: 2026-05-27T08:16:45.440

Link: CVE-2026-8450

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T10:07:54Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object