Skip to main content

Web::Passwd CVE-2026-8500

| EUVDEUVD-2026-30206 CRITICAL
OS Command Injection (CWE-78)
2026-05-13 CPANSec GHSA-jrw9-jqqp-jcq9
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 18:22 vuln.today
CVSS changed
May 14, 2026 - 18:22 NVD
9.8 (CRITICAL)
CVE Published
May 13, 2026 - 22:24 nvd
CRITICAL 9.8
CVE Published
May 13, 2026 - 22:24 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Web::Passwd versions through 0.03 for Perl is vulnerable to RCE.

Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command.

The user parameter is not validated or escaped, and is used as the last argument on the command line, allowing for command injection.

AnalysisAI

Remote code execution in Web::Passwd 0.03 and earlier allows unauthenticated network attackers to execute arbitrary system commands with web server privileges via command injection in the user parameter. The CVSS vector indicates network-accessible, low-complexity exploitation requiring no authentication or user interaction. EPSS score is low (0.04%, 12th percentile), suggesting limited real-world exploitation observed to date. No active exploitation confirmed by CISA KEV at time of analysis, though publicly available exploit code exists per oss-security disclosure.

Technical ContextAI

Web::Passwd is a legacy Perl CGI application for managing Apache htpasswd authentication files through a web interface, wrapping the htpasswd command-line utility. The vulnerability stems from CWE-78 (OS Command Injection) where user-supplied input via the user parameter is passed unsanitized directly to the command line as the final argument to htpasswd. Because Perl's system() or backtick operators can interpret shell metacharacters, an attacker can inject additional commands using shell operators like semicolons, pipes, or backticks. The affected product CPE (cpe:2.3:a:evank:web::passwd:*:*:*:*:*:*:*:*) covers all versions through 0.03, the last release from 2004, indicating this is an unmaintained legacy package.

RemediationAI

No vendor-released patch identified at time of analysis-Web::Passwd was last updated in 2004 and appears abandoned with no active maintainer. Organizations still using this package should immediately replace it with actively maintained alternatives such as modern web server authentication management tools, configuration management systems (Ansible, Puppet), or containerized authentication services. As an interim emergency control, restrict network access to the CGI script to trusted IP ranges only via web server configuration (Apache Allow/Deny directives or firewall rules), though this mitigation assumes internal network trust and does not eliminate the vulnerability. Alternatively, remove the CGI application entirely and manage htpasswd files through secure shell access with proper access controls. Organizations dependent on web-based htpasswd management should evaluate modern Apache/nginx authentication backends or migrate to centralized identity providers. Given the 20-year-old codebase and command injection attack surface, no workaround provides adequate security-full replacement is the only defensible long-term strategy.

Share

CVE-2026-8500 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy