Description
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().

send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.

Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.
Published: 2026-05-27
Score: 9.1 Critical
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OS command injection is possible in HTTP::Daemon versions before 6.17 when the send_file() function receives untrusted input. The function opens the supplied string with Perl’s 2‑argument open, which interprets magic prefixes that create pipes to a subprocess. As a result, a remote attacker can execute arbitrary operating‑system commands under the uid of the HTTP daemon process, and if the read‑pipe form is used, the subprocess’s stdout is sent back to the HTTP client. The write‑mode forms can also create or truncate files at attacker‑chosen paths, enabling further compromise or persistence.

Affected Systems

OALDERS’ HTTP::Daemon module, any installation of HTTP::Daemon 6.16 or earlier, is affected. Upgrading to version 6.17 or later resolves the flaw.

Risk and Exploitability

The CVSS score is 9.1 and the EPSS score is < 1%, indicating a high severity and low likelihood of exploitation. The vulnerability’s impact is severe due to its ability to execute arbitrary commands and modify filesystem state. The flaw can be exploited remotely by sending a crafted HTTP request that triggers send_file() with malicious input. Because the flaw is tied to the daemon’s privilege level, running the service as root could lead to a full system compromise. The vulnerability is not yet listed in CISA’s KEV catalog, but the nature of OS command injection warrants immediate attention.

Generated by OpenCVE AI on May 27, 2026 at 20:45 UTC.

Remediation

Vendor Solution

Upgrade to HTTP-Daemon 6.17 or later.

OpenCVE Recommended Actions

  • Upgrade the HTTP::Daemon module to version 6.17 or later.
  • If an immediate upgrade is not possible, apply the patch from commit 945d3514, which corrects the send_file() handling.
  • Restrict the file paths passed to send_file() to a trusted whitelist or disable the function entirely in environments that handle untrusted input.
  • Run the HTTP::Daemon process under a non‑privileged user account to reduce the damage potential of any successful exploit.

Generated by OpenCVE AI on May 27, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8419-1 HTTP-Daemon vulnerability
History

Tue, 16 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Oalders
Oalders http::daemon
Vendors & Products Oalders
Oalders http::daemon

Wed, 27 May 2026 08:30:00 +0000

Type Values Removed Values Added
References

Wed, 27 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append. Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.
Title HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file()
Weaknesses CWE-73
CWE-78
References

Subscriptions

Oalders Http::daemon
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-27T15:54:59.687Z

Reserved: 2026-05-12T21:26:04.212Z

Link: CVE-2026-8450

cve-icon Vulnrichment

Updated: 2026-05-27T07:24:59.662Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T05:16:23.067

Modified: 2026-06-17T11:03:57.190

Link: CVE-2026-8450

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-27T04:22:26Z

Links: CVE-2026-8450 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T21:00:14Z

Weaknesses
  • CWE-73

    External Control of File Name or Path

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')