Description
Web::Passwd versions through 0.03 for Perl is vulnerable to RCE.

Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command.

The user parameter is not validated or escaped, and is used as the last argument on the command line, allowing for command injection.
Published: 2026-05-13
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject OS commands because the web interface does not escape the user parameter that is passed as the final argument to the system‑level htpasswd utility. This flaw is a classic command injection flaw, classified as CWE‑78, and permits arbitrary code execution on the host that runs the CGI script.

Affected Systems

The affected product is Web::Passwd from EVANK, available up to version 0.03. The application has not been updated since 2007 and is considered abandoned. Systems that still host any supported version of this CGI should be aware of the risk.

Risk and Exploitability

The flaw is immediately exploitable from a remote web request that supplies a malicious user value. With a CVSS score of 9.8, the vulnerability is classified as Critical. The EPSS score is reported as <1%, indicating a very low but non‑zero likelihood of exploitation, yet the absence of input validation combined with the ability to run arbitrary commands results in a high exploitation potential. Although it is not listed in the CISA KEV catalog, the impact remains severe and the risk persists because the vendor will not issue a patch.

Generated by OpenCVE AI on May 14, 2026 at 20:28 UTC.

Remediation

Vendor Solution

This application has not been updated since 2007 and appears to have been abandoned. Use other solutions.

OpenCVE Recommended Actions

  • Deploy an alternative htpasswd management tool or move to manual editing of password files.
  • If migration is not possible, isolate the CGI script to trusted networks or internal hosts and block external access.
  • Implement web‑application firewall rules that detect and block shell metacharacters in the user parameter to prevent injection attempts.

Generated by OpenCVE AI on May 14, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Evank
Evank web::passwd
Vendors & Products Evank
Evank web::passwd

Thu, 14 May 2026 02:30:00 +0000

Type Values Removed Values Added
References

Wed, 13 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Web::Passwd versions through 0.03 for Perl is vulnerable to RCE. Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command. The user parameter is not validated or escaped, and is used as the last argument on the command line, allowing for command injection.
Title Web::Passwd versions through 0.03 for Perl is vulnerable to RCE
Weaknesses CWE-78
References

Subscriptions

Evank Web::passwd
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-14T17:41:51.045Z

Reserved: 2026-05-13T20:31:51.641Z

Link: CVE-2026-8500

cve-icon Vulnrichment

Updated: 2026-05-14T00:35:26.211Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T23:16:43.237

Modified: 2026-05-14T18:16:51.490

Link: CVE-2026-8500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:30:04Z

Weaknesses