{"id":"CVE-2026-11527","summary":"Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle","details":"Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle.\n\nConfig::IniFiles::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe (\"| cmd\", \"cmd |\") or begins with a redirect (\"\u003e path\", \"\u003e\u003e path\") is run as a command or redirect rather than opened as a file. The helper is the open path behind the documented -file argument: new(-file =\u003e $thing) reaches it through ReadConfig. An in-memory scalar reference (-file =\u003e \\$text) does not open a path and is unaffected.\n\nAny caller that forwards untrusted input to the -file argument can run an arbitrary command or truncate a file under the process UID.","modified":"2026-07-08T07:01:38.908894954Z","published":"2026-06-14T11:40:45.634Z","related":["SUSE-SU-2026:22329-1","SUSE-SU-2026:2709-1","SUSE-SU-2026:2710-1","openSUSE-SU-2026:21012-1"],"database_specific":{"cna_assigner":"CPANSec","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11527.json","cwe_ids":["CWE-73","CWE-78"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/06/14/5"},{"type":"WEB","url":"https://cpan.org/modules"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2026/06/msg00026.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11527.json"},{"type":"ADVISORY","url":"https://metacpan.org/release/SHLOMIF/Config-IniFiles-3.001000/changes"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-11527"},{"type":"FIX","url":"https://github.com/shlomif/perl-Config-IniFiles/commit/3e48f9627fbba4dae5de35be1f735cdeb7e47fb8.patch"},{"type":"PACKAGE","url":"https://github.com/shlomif/perl-Config-IniFiles"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/shlomif/perl-config-inifiles","events":[{"introduced":"0"},{"fixed":"7040f46c00fade6ed81af18589c0de9b8d2f667a"},{"fixed":"3e48f9627fbba4dae5de35be1f735cdeb7e47fb8"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"3.001000"}],"source":["DESCRIPTION","REFERENCES"]}}],"versions":["releases/3.000003","releases/3.000002","releases/3.000001","releases/3.000000","releases/2.99","releases/2.98","releases/2.97","releases/2.96","releases/2.95","releases/2.94","releases/2.93","releases/2.92","releases/2.91","releases/2.90","releases/2.89","releases/2.88","releases/2.87","releases/2.86","releases/2.85","releases/2.84","releases/2.83","releases/2.82","releases/2.81","releases/2.80"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11527.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}]}