{"id":"CVE-2026-7381","summary":"Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting","details":"Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.\n\nPlack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.\n\nA malicious client can set the X-Sendfile-Type header to \"X-Accel-Redirect\" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.\n\nSince 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.\n\nThis is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the \"X-Accel-Redirect\" type.","modified":"2026-07-08T08:13:53.138055653Z","published":"2026-04-29T22:13:35.351Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7381.json","cwe_ids":["CWE-200","CWE-441","CWE-913"],"cna_assigner":"CPANSec"},"references":[{"type":"WEB","url":"https://cpan.org/modules"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7381.json"},{"type":"ADVISORY","url":"https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61780"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-7381"},{"type":"PACKAGE","url":"https://github.com/plack/Plack"},{"type":"ARTICLE","url":"https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSendfile.pm#DEPRECATION-NOTICE"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/plack/plack","events":[{"introduced":"0"},{"last_affected":"558fe3b40aa6cc71075048445410d1f540a9cf97"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"1.0053"}]}}],"versions":["1.0053","1.0052","1.0051","1.0050","1.0049","1.0048","1.0047","1.0046","1.0045","1.0044","1.0043","1.0042","1.0041","1.0040","1.0038","1.0037","1.0036","1.0035","1.0034","1.0033","1.0032","1.0031","1.0030","1.0029","1.0028","1.0027","1.0026","1.0025","1.0024","1.0023","1.0022","1.0021","1.0020","1.0018","1.0017","1.0016","1.0015","1.0014","1.0013","1.0012","1.0011","1.0010","1.0009","1.0008","1.0007","1.0006","1.0005","1.0004","1.0003","1.0002","1.0001","1.0000","0.9991","0.9990","0.9989","0.9988","0.9987","0.9986","0.9985","0.9984","0.9983","0.9982","0.9981","0.9980","0.9979","0.9978","0.9977","0.9976","0.99_75","0.9974","0.9973","0.9972","0.9971","0.9970","0.9969","0.9968","0.9967","0.9966","0.9965","0.9964","0.9963","0.9962","0.9961","0.9960","0.9959","0.9958","0.9957","0.9956","0.9955","0.9954","0.9953","0.9952","0.9951","0.9950","0.9949","0.9948","0.9947","0.9946","0.9945","0.9944","0.9943","0.9942","0.9941","0.9940","0.9939","0.9938","0.9937","0.9936","0.9935","0.9934","0.9933","0.9932","0.9931","0.9930","0.9929","0.9928","0.9927","0.9926","0.9925","0.99_24","0.99_23","0.99_22","0.99_21","0.9920","0.9919","0.9918","0.9917","0.9916","0.9915","0.9914","0.9913","0.9912","0.9911","0.9910","0.99_05","0.99_04","0.99_03","0.99_02","0.99_01","0.9031","0.9030","0.9029","0.9028","0.9027","0.9026","0.9025","0.9024","0.9023","0.9022","0.9021","0.9020","0.9019","0.9018","0.9017","0.9016","0.9015","0.9014","0.9013","0.9012","0.9011","0.9010","0.9009","0.9008","0.9007","0.9006","0.9005","0.9004","0.9003","0.9002","0.9001","0.9000"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7381.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}