Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Network-reachable if the app parses untrusted HTML (AV:N/AC:L/PR:N/UI:N), but a small bounded over-read yields only limited disclosure (C:L) and a likely crash (A:L), not high impact.
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead.
The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer.
Truncated strings such as "<a/" can trigger an out-of-bounds read.
Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.
AnalysisAI
Out-of-bounds read in the HTML::Bare Perl parsing module (versions through 0.04) lets an attacker who supplies truncated or malformed HTML - such as the string "<a/" - force the C-based parserc_parse routine to read past the end of the input buffer. Because the parser performs multi-character lookahead for tokens like "<![CDATA" and element terminators ">" without bounds checks, adjacent heap memory can be disclosed or the process can crash. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application pass attacker-controlled input to HTML::Bare's C parser (parserc_parse). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:H, base 9.1) rates this critical on the assumption that untrusted HTML reaches the parser over the network with no authentication and yields high confidentiality and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An application uses HTML::Bare to parse HTML or XML-like content submitted by users - for example an API endpoint or feed processor. An attacker submits a deliberately truncated fragment such as "<a/" or a tag missing its closing '>', causing parserc_parse to read beyond the input buffer and either crash the worker (denial of service) or leak adjacent heap bytes back into parsed output. … |
| Remediation | Patch available per vendor advisory: apply the CPANSec-published fixes rather than waiting for a tagged release - https://security.metacpan.org/patches/H/HTML-Bare/0.02/CVE-2026-57073-r1.patch for CPAN 0.02 and https://security.metacpan.org/patches/H/HTML-Bare/0.04/CVE-2026-57073-r2.patch for the git 0.04 line, both corresponding to upstream fix PR https://github.com/nanoscopic/perl-HTML-Bare/pull/2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all systems and applications using HTML::Bare module versions through 0.04 and determine exposure based on whether they process untrusted HTML. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion. Support for the <template> element w
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can
Session::Cookie in the HTML::EP module 0.2011 for Perl does not properly use the Storable::thaw function, which allows r
Heap information disclosure in HTML::Entities for Perl (versions before 3.84) allows remote attackers to leak adjacent h
Html contains a vulnerability that allows attackers to denial of service (DoS) if an attacker provides specially crafted
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44965
GHSA-682p-jxjc-9j4v