CVE-2026-8704 - Vulnerability Details

Description

Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified.

Published: 2026-05-15

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Crypt::DSA versions up to 1.19 make use of Perl’s two‑argument open, which permits the modification of files that already exist. This flaw allows an attacker who can influence the parameters passed to the module to overwrite files such as private keys or configuration data, thereby compromising the integrity of the application or system.

Affected Systems

The affected product is TIMLEGGE’s Crypt::DSA Perl module through version 1.19. Systems running any of these versions of Crypt::DSA without an upgrade to 1.20 are vulnerable.

Risk and Exploitability

No CVSS or EPSS score is reported and the vulnerability is not listed in the CISA KEV catalog. The flaw can be exploited by an attacker who controls the environment in which Crypt::DSA operates, enabling file modifications that may impact confidentiality, integrity, or availability. The attack vector is likely local or through code that feeds input to Crypt::DSA.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TIMLEGGE

Crypt::DSA

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.19

No data.

No data available yet.

Remediation

Vendor Solution

Upgrade to version 1.20

OpenCVE Recommended Actions

Apply the vendor’s update to Crypt::DSA 1.20
Limit usage of Crypt::DSA in trusted contexts and ensure that scripts cannot supply arbitrary filenames
Enforce strict file permissions on critical files to prevent unauthorized writes

Generated by OpenCVE AI on May 15, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00006.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/15/27
https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/changes
https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/diff/TIMLEGGE/Crypt-DSA-1.19#lib/Crypt/DSA/Key.pm

History

Sat, 16 May 2026 01:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/15/27

Fri, 15 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified.
Title		Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified
Weaknesses		CWE-552
References		https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/changes https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/diff/TIMLEGGE/Crypt-DSA-1.19#lib/Crypt/DSA/Key.pm

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-05-15T22:18:15.917Z

Updated: 2026-05-16T00:31:20.840Z

Reserved: 2026-05-15T18:08:24.117Z

Link: CVE-2026-8704

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-15T23:16:21.740

Modified: 2026-05-16T01:16:17.543

Link: CVE-2026-8704

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-16T00:00:12Z

Weaknesses

CWE-552

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-8704", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-05-15T18:08:24.117Z", "datePublished": "2026-05-15T22:18:15.917Z", "dateUpdated": "2026-05-16T00:31:20.840Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Crypt-DSA", "product": "Crypt::DSA", "programFiles": ["lib/Crypt/DSA/Key.pm"], "programRoutines": [{"name": "Crypt::DSA::read"}, {"name": "Crypt::DSA::write"}], "repo": "https://github.com/perl-Crypt-OpenPGP/Crypt-DSA", "vendor": "TIMLEGGE", "versions": [{"lessThanOrEqual": "1.19", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified."}], "impacts": [{"capecId": "CAPEC-23", "descriptions": [{"lang": "en", "value": "CAPEC-23 File Content Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-552", "description": "CWE-552 Files or Directories Accessible to External Parties", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-05-15T22:18:15.917Z"}, "references": [{"tags": ["release-notes"], "url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/changes"}, {"url": "https://metacpan.org/release/TIMLEGGE/Crypt-DSA-1.20/diff/TIMLEGGE/Crypt-DSA-1.19#lib/Crypt/DSA/Key.pm"}], "solutions": [{"lang": "en", "value": "Upgrade to version 1.20"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2026-05-15T00:00:00.000Z", "value": "CPANSec identified issue"}, {"lang": "en", "time": "2026-05-15T00:00:00.000Z", "value": "Author was notified"}, {"lang": "en", "time": "2026-05-15T00:00:00.000Z", "value": "Version 1.20 released."}], "title": "Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified", "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/15/27"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-16T00:31:20.840Z"}}]}}

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object