Skip to main content

Config::IniFiles CVE-2026-11527

| EUVDEUVD-2026-36660 HIGH
OS Command Injection (CWE-78)
2026-06-14 CPANSec GHSA-2g88-7qc8-9vxv
8.6
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
8.6 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
8.6 HIGH

Library bug exploited only when a host app forwards untrusted input to -file, so AV:L/UI:R; no auth at the library boundary (PR:N); shell exec under process UID yields total C/I/A and scope change.

3.1 AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 15, 2026 - 22:42 vuln.today
Analysis Generated
Jun 15, 2026 - 22:42 vuln.today
CVSS changed
Jun 15, 2026 - 21:22 NVD
8.6 (HIGH)
CVE Published
Jun 14, 2026 - 11:40 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle.

Config::IniFiles::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. The helper is the open path behind the documented -file argument: new(-file => $thing) reaches it through ReadConfig. An in-memory scalar reference (-file => \$text) does not open a path and is unaffected.

Any caller that forwards untrusted input to the -file argument can run an arbitrary command or truncate a file under the process UID.

AnalysisAI

OS command injection and arbitrary file truncation in the Perl module Config::IniFiles before 3.001000 occurs because _make_filehandle uses Perl's 2-argument open() on the -file argument, letting filenames prefixed/suffixed with shell metacharacters ('| cmd', 'cmd |', '> path', '>> path') execute commands or overwrite files under the process UID. Any application passing untrusted input to new(-file => ...) or ReadConfig is exposed. EPSS is low (~0.26%) and SSVC reports no observed exploitation, but an upstream patch and a public regression test demonstrate the issue clearly.

Technical ContextAI

Config::IniFiles is a widely deployed CPAN module for parsing INI-style configuration files in Perl, maintained by Shlomi Fish. The defect is a classic CWE-78 OS Command Injection rooted in Perl's historical 2-arg open() semantics: open($fh, $name) interprets leading/trailing '|' as a pipe to a child process and leading '>' / '>>' as write-redirects, so the argument is parsed as a mini shell expression rather than a path. The vulnerable code path is _make_filehandle, which sits behind the documented -file option used by new() and ReadConfig(); a scalar-ref form (-file => \$text) bypasses the path open and is unaffected. The fix (commit 3e48f96) switches to the 3-arg form open($fh, '<', $thing), which treats the argument literally as a read-only filename, and adds t/38security-open.t to guard against regression. CPE coverage is cpe:2.3:a:shlomif:config::inifiles:*.

RemediationAI

Patch available per vendor advisory: upgrade Config::IniFiles to 3.001000 or later from CPAN (https://metacpan.org/release/SHLOMIF/Config-IniFiles-3.001000/changes), which switches _make_filehandle to a 3-arg open (commit https://github.com/shlomif/perl-Config-IniFiles/commit/3e48f9627fbba4dae5de35be1f735cdeb7e47fb8). On Debian-based systems, install the security-update package once your release ships it. If you cannot upgrade immediately, audit every call site that uses Config::IniFiles->new(-file => $x) or ReadConfig and either hardcode the path, validate $x against a strict allowlist of absolute paths, or convert callers to the in-memory scalar-reference form (-file => \$text) which does not go through the path-open branch; note that the scalar-ref workaround requires reading the file yourself with a 3-arg open, and allowlisting will break legitimate use cases that previously relied on trailing-whitespace trimming. See also the oss-security write-up at https://seclists.org/oss-sec/2026/q2/927.

Vendor StatusVendor

Debian

libconfig-inifiles-perl
Release Status Fixed Version Urgency
bullseye vulnerable 3.000003-1 -
bookworm vulnerable 3.000003-2 -
trixie vulnerable 3.000003-3 -
forky, sid vulnerable 3.000003-4 -
(unstable) fixed (unfixed) -

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected

Share

CVE-2026-11527 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy