CVE-2026-8450

EUVD-2026-32050
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().

send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.

Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
Debian logo
Debian Releases
Debian Product
Codename
libhttp-daemon-perl
bookworm
6.16-1+deb13u1~deb12u1
fixed
bookworm (security)
6.16-1+deb13u1~deb12u1
fixed
bullseye
vulnerable
bullseye (security)
6.12-1+deb11u2
fixed
forky
6.17-1
fixed
sid
6.17-1
fixed
trixie
6.16-1+deb13u1
fixed
trixie (security)
6.16-1+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libhttp-daemon-perl
bionic
Fixed 6.01-1ubuntu0.1+esm1
released
focal
Fixed 6.06-1ubuntu0.1+esm1
released
jammy
Fixed 6.13-1ubuntu0.2
released
noble
Fixed 6.16-1ubuntu0.24.04.1
released
questing
Fixed 6.16-1ubuntu0.25.10.1
released
resolute
Fixed 6.16-1ubuntu0.26.04.1
released
trusty
Fixed 6.01-1ubuntu0.14.04~esm2
released
xenial
Fixed 6.01-1ubuntu0.16.04~esm2
released
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
perl-HTTP-Daemon
RHEL 9
0:6.12-6.el9_8.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
perl-HTTP-Daemon
Amazon Linux 2
0:6.01-8.amzn2.0.2
fixed
Amazon Linux 2023
0:6.16-1.amzn2023.0.1
fixed
perl-HTTP-Daemon-tests
Amazon Linux 2023
0:6.16-1.amzn2023.0.1
fixed