Skip to main content

Perl DBI CVE-2026-60081

| EUVDEUVD-2026-43728 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-14 CPANSec
7.5
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Exploitation requires the victim to parse an attacker-supplied profile dump file, so AV:L and UI:R; impact is availability-only memory exhaustion, hence C:N/I:N/A:H.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Source Code Evidence Fetched
Jul 15, 2026 - 16:32 vuln.today
Analysis Generated
Jul 15, 2026 - 16:32 vuln.today
CVSS changed
Jul 15, 2026 - 14:22 NVD
7.5 (HIGH)
CVE Published
Jul 14, 2026 - 15:34 cve.org
HIGH 7.5
CVE Published
Jul 14, 2026 - 15:34 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

DBI::ProfileData versions before 1.651 for Perl do not limit the path index.

The path index column of profile dump files is used to allocate an array of data for the parser. An unbounded value allows an attacker to specify a large index and consume available memory.

AnalysisAI

Memory-exhaustion denial of service in the DBI::ProfileData module (bundled with Perl DBI) before version 1.651 allows an attacker who supplies a crafted profile dump file to force the parser into allocating an oversized array. Because the path-index column is read directly from an untrusted file and used to size an in-memory array, a tiny malicious file can amplify into large memory consumption (CWE-770). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious profile dump file
Delivery
Deliver file to parsing workflow
Exploit
Parser reads unbounded path index
Execution
Allocate oversized @path array
Impact
Memory exhausted, service denied

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim system parse an attacker-controlled DBI profile dump file through DBI::ProfileData (typically via the dbiprof frontend or DBI::Profile-based tooling) at a version before 1.651. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) rates this a network, no-auth, availability-only issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a small DBI profile dump file containing a path-index line with an enormous integer value and gets it processed by a victim's dbiprof/DBI::ProfileData parser (for example, an automated profiling pipeline that ingests uploaded or shared dump files). When parsed, the oversized index causes a large sparse array allocation and repeated copies, exhausting available memory and denying service. …
Remediation Vendor-released patch: upgrade Perl DBI to version 1.651 or later, which bounds the profile-file path index (see the GHSA-ww49-w4mv-jrr4 advisory and the DBI-1.651 changelog at https://metacpan.org/release/HMBRAND/DBI-1.651/changes). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all systems running Perl DBI versions prior to 1.651 and determine whether the ProfileData module is actively used in production applications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-60081 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy