What is the CVSS score of CVE-2026-8450?

CVE-2026-8450 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of HTTP::Daemon are affected by CVE-2026-8450?

HTTP::Daemon (libwww-perl) versions before 6.17 contain a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary system commands.. A patch is available.

HTTP::Daemon CVE-2026-8450

EUVD-2026-32050 CRITICAL

External Control of File Name or Path (CWE-73)

2026-05-27 9b29abf9-4ab0-4765-b253-1875cd9b441e

GHSA-3hc6-3p33-wq57

Command Injection

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

May 27, 2026 - 19:46 EUVD

Source Code Evidence Fetched

May 27, 2026 - 19:44 vuln.today

Analysis Generated

May 27, 2026 - 19:44 vuln.today

DescriptionNVD

HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().

send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.

Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.

AnalysisAI

OS command injection in Perl's HTTP::Daemon before 6.17 (libwww-perl) lets remote unauthenticated attackers execute commands as the daemon process UID when request-derived input reaches the send_file() method. The method opened its string argument with Perl's 2-argument open(), whose magic prefixes ('| cmd', 'cmd |', '> path', '>> path') spawn subprocesses or write/truncate files; the read-pipe form additionally leaks subprocess stdout into the HTTP response body. …

RemediationAI

Within 24 hours: Conduct inventory of all systems and applications using HTTP::Daemon/libwww-perl and their current versions. Within 7 days: Apply vendor patch to upgrade HTTP::Daemon to version 6.17 or later on all affected systems, prioritizing internet-facing services. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-8450 vulnerability details – vuln.today

Back

HTTP::Daemon CVE-2026-8450

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code