CVE-2026-15043

Source
https://cve.org/CVERecord?id=CVE-2026-15043
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15043.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-15043
Aliases
  • GHSA-mv45-ff6j-x9jp
Downstream
Published
2026-07-14T09:44:25.733Z
Modified
2026-07-18T03:46:27.541915729Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
DBI::SQL::Nano versions from 1.42 before 1.651 for Perl have inverted <= and >= SQL operators on text
Details

DBI::SQL::Nano versions from 1.42 before 1.651 for Perl have inverted <= and >= SQL operators on text.

DBI::SQL::Nano, DBI's built-in mini-SQL engine, evaluated WHERE predicates incorrectly in some cases. In the non-numeric string branch of the is_matched method, <= was evaluated using Perl's ge operator, and >= was evaluated using Perl's le operator.

SQL::Nano is the fallback query engine for DBI's file-backed drivers (DBD::File, DBD::DBM, CSV-style drivers) whenever SQL::Statement is not installed, and is forced whenever DBISQLNANO=1. Queries over such tables use these predicates directly.

The impact depends on the context. Where an application relies on a WHERE clause to filter file-backed data for policy or authorization, an inverted <=/>= comparison silently returns the wrong rows.

Database specific
{
    "cwe_ids": [
        "CWE-480"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15043.json",
    "cna_assigner": "CPANSec"
}
References

Affected packages

Git / github.com/perl5-dbi/dbi

Affected ranges

Type
GIT
Repo
https://github.com/perl5-dbi/dbi
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "1.42"
        },
        {
            "fixed": "1.651"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15043.json"