CVE-2026-48962

EUVD-2026-32048
IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob.

_parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl.

Arbitrary Perl in the output glob executes at the calling process's privilege.
Eval Injection
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
Debian logo
Debian Releases
Debian Product
Codename
libio-compress-perl
bookworm
vulnerable
bullseye
vulnerable
forky
2.223-1
fixed
sid
2.223-1
fixed
trixie
no-dsa
perl
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
5.40.1-8
fixed
sid
5.40.1-8
fixed
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libio-compress-perl
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
ignored
resolute
needs-triage
perl
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
ignored
resolute
needs-triage
trusty
needs-triage
xenial
needs-triage
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
perl-IO-Compress
RHEL 9
0:2.102-4.el9_8.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
perl-IO-Compress
Amazon Linux 2
0:2.061-2.amzn2.0.1
fixed
Amazon Linux 2023
0:2.217-1.amzn2023.0.2
fixed
perl-IO-Compress-tests
Amazon Linux 2023
0:2.217-1.amzn2023.0.2
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
perl
Azure Linux 3.0
0:5.38.2-510.azl3
fixed