CVE-2026-14380

Source
https://cve.org/CVERecord?id=CVE-2026-14380
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14380.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-14380
Aliases
  • GHSA-ch8w-hxc2-v557
Downstream
Related
Published
2026-07-07T22:04:49.078Z
Modified
2026-07-17T18:29:41.714175139Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile
Details

DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile.

When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name.

Any caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands.

The Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=>SPEC):db.

An attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host.

Database specific
{
    "cwe_ids": [
        "CWE-95"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/14xxx/CVE-2026-14380.json",
    "cna_assigner": "CPANSec"
}
References

Affected packages

Git / github.com/perl5-dbi/dbi

Affected ranges

Type
GIT
Repo
https://github.com/perl5-dbi/dbi
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:perl:dbi:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.650"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

1.*
1.602
1.607
1.611_90
1.611_91
1.611_92
1.611_93
1.611_94
1.613_70
1.613_71
1.613_90
1.613_91
1.613_92
1.613_93
1.614_90
1.615
1.618
1.619
1.622
1.624
1.625
1.626
1.627
1.628
1.630
1.631
1.632
1.632_90
1.633
1.633_90
1.633_91
1.633_92
1.634
1.635
1.636
1.637
1.638
1.639
1.640
1.641
1.642
1.643
1.643_01
1.643_02
1.644
1.645
1.646
1.647
1.648
1.649
DBI-1.*
DBI-1.47
DBI-1.51
DBI-1.57
DBI-1.58

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14380.json"