Skip to main content

HTTP::Daemon CVE-2026-8450

| EUVDEUVD-2026-32050 CRITICAL
External Control of File Name or Path (CWE-73)
2026-05-27 9b29abf9-4ab0-4765-b253-1875cd9b441e GHSA-3hc6-3p33-wq57
9.1
CVSS 3.1 · Vendor: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Share

Severity by source

Vendor (9b29abf9-4ab0-4765-b253-1875cd9b441e) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
SUSE
CRITICAL
qualitative
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (9b29abf9-4ab0-4765-b253-1875cd9b441e).

CVSS VectorVendor: 9b29abf9-4ab0-4765-b253-1875cd9b441e

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
May 27, 2026 - 19:46 EUVD
Source Code Evidence Fetched
May 27, 2026 - 19:44 vuln.today
Analysis Generated
May 27, 2026 - 19:44 vuln.today

DescriptionCVE.org

HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().

send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.

Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.

AnalysisAI

OS command injection in Perl's HTTP::Daemon before 6.17 (libwww-perl) lets remote unauthenticated attackers execute commands as the daemon process UID when request-derived input reaches the send_file() method. The method opened its string argument with Perl's 2-argument open(), whose magic prefixes ('| cmd', 'cmd |', '> path', '>> path') spawn subprocesses or write/truncate files; the read-pipe form additionally leaks subprocess stdout into the HTTP response body. There is no public exploit identified at time of analysis and no CISA KEV listing, but the upstream fix is released (6.17) and the patch diff is public, so the root cause is fully disclosed.

Technical ContextAI

HTTP::Daemon is a Perl HTTP/1.1 server class shipped as part of the libwww-perl (LWP) ecosystem; its send_file() (used by send_dir/file serving) copies a named file to the client. The root cause is CWE-73 (External Control of File Name or Path): the vulnerable code called open(FILE, $file) - Perl's two-argument open - which treats the filename as a mini command language. A leading or trailing pipe ('| cmd' / 'cmd |') opens a pipe to a subprocess and a leading '>'/'>>' opens the path for write/append, so a value like 'cmd |' executes 'cmd' instead of opening a literal file. The fix (commit 945d3514, PR #89) replaces this with the three-argument form open(my $fh, '<', $file), forcing read mode and a literal path, and also returns '0E0' to distinguish a zero-byte success from open failure. The vendor explicitly notes the patch only neutralizes 2-arg shell-magic and does not address symlinks, device files (/dev/zero, /dev/stdin), named pipes, or path traversal.

RemediationAI

Vendor-released patch: HTTP::Daemon 6.17 - upgrade to 6.17 or later (release notes: https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes; fix commit https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch and PR https://github.com/libwww-perl/HTTP-Daemon/pull/89). If you cannot upgrade immediately, the actionable interim control is to ensure no attacker-influenced value ever reaches send_file(): canonicalize the path, reject any value containing '|', '>', '<', leading/trailing whitespace, or '..' segments, require -f _ (a plain file) against a vetted document-root prefix, and serve files by mapping a validated identifier to a fixed path rather than passing the request string directly. The trade-off is added per-request validation cost and the risk of incomplete blacklisting - prefer the upgrade. Crucially, the maintainers warn the 6.17 fix only neutralizes 2-arg open shell-magic, so even after patching you must still validate paths to block symlinks, character/block device files (e.g. /dev/stdin), named pipes (which can block the worker), and files outside the intended document root.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-8450 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy