Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Web::Passwd versions through 0.03 for Perl is vulnerable to RCE.
Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command.
The user parameter is not validated or escaped, and is used as the last argument on the command line, allowing for command injection.
AnalysisAI
Remote code execution in Web::Passwd 0.03 and earlier allows unauthenticated network attackers to execute arbitrary system commands with web server privileges via command injection in the user parameter. The CVSS vector indicates network-accessible, low-complexity exploitation requiring no authentication or user interaction. EPSS score is low (0.04%, 12th percentile), suggesting limited real-world exploitation observed to date. No active exploitation confirmed by CISA KEV at time of analysis, though publicly available exploit code exists per oss-security disclosure.
Technical ContextAI
Web::Passwd is a legacy Perl CGI application for managing Apache htpasswd authentication files through a web interface, wrapping the htpasswd command-line utility. The vulnerability stems from CWE-78 (OS Command Injection) where user-supplied input via the user parameter is passed unsanitized directly to the command line as the final argument to htpasswd. Because Perl's system() or backtick operators can interpret shell metacharacters, an attacker can inject additional commands using shell operators like semicolons, pipes, or backticks. The affected product CPE (cpe:2.3:a:evank:web::passwd:*:*:*:*:*:*:*:*) covers all versions through 0.03, the last release from 2004, indicating this is an unmaintained legacy package.
RemediationAI
No vendor-released patch identified at time of analysis-Web::Passwd was last updated in 2004 and appears abandoned with no active maintainer. Organizations still using this package should immediately replace it with actively maintained alternatives such as modern web server authentication management tools, configuration management systems (Ansible, Puppet), or containerized authentication services. As an interim emergency control, restrict network access to the CGI script to trusted IP ranges only via web server configuration (Apache Allow/Deny directives or firewall rules), though this mitigation assumes internal network trust and does not eliminate the vulnerability. Alternatively, remove the CGI application entirely and manage htpasswd files through secure shell access with proper access controls. Organizations dependent on web-based htpasswd management should evaluate modern Apache/nginx authentication backends or migrate to centralized identity providers. Given the 20-year-old codebase and command injection attack surface, no workaround provides adequate security-full replacement is the only defensible long-term strategy.
The "secret chat" feature in Telegram 4.9.1 for Android has a "side channel" in which Telegram servers send GET requests
A vulnerability has been found in Engeman Web up to 12.0.0.2. The affected element is an unknown function of the file /L
Input validation vulnerability in Centreon Open Tickets module allows authenticated attackers to manipulate ticket data,
Web::API 2.8 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographica
Stored HTML injection in Pi-hole Admin Interface versions 6.0 through 6.4 allows authenticated high-privilege users to i
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30206
GHSA-jrw9-jqqp-jcq9