What is the CVSS score of CVE-2026-8612?

CVE-2026-8612 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.1%.

Is there a patch available for CVE-2026-8612?

Yes, a patch is available for CVE-2026-8612. Update the affected software to the latest version immediately.

WWW::Mechanize::Cached CVE-2026-8612

EUVD-2026-30495 MEDIUM

Incorrect Permission Assignment for Critical Resource (CWE-732)

2026-05-15 CPANSec

GHSA-38r9-g25v-vcvr

RCE Suse

5.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Source Code Evidence Fetched

May 15, 2026 - 15:27 vuln.today

Analysis Generated

May 15, 2026 - 15:27 vuln.today

CVSS changed

May 15, 2026 - 15:22 NVD

5.3 (MEDIUM)

CVE Published

May 15, 2026 - 01:11 nvd

UNKNOWN (no severity yet)

DescriptionNVD

WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution.

With no explicit cache backend, WWW::Mechanize::Cached constructs a default Cache::FileCache under /tmp/FileCache without overriding the backend's documented directory_umask of 000, so the cache root and its subdirectories are created mode 0777 with no sticky bit. Cache entries are named by sha1_hex of the request and read back through Storable::thaw on the next cache hit.

A local attacker with write access to the cache tree can replace a victim's cache entry for a known URL with an arbitrary frozen HTTP::Response blob, causing the victim's next get() of that URL to return attacker controlled response bytes. Because the bytes are passed to Storable::thaw, a victim process that has loaded any class with a side-effectful STORABLE_thaw, DESTROY, or overload hook can be escalated to arbitrary code execution.

AnalysisAI

Local privilege escalation in WWW::Mechanize::Cached for Perl (versions before 2.00) allows authenticated local attackers to inject malicious cached HTTP responses and achieve arbitrary code execution. The module creates world-writable cache directories under /tmp/FileCache with 0777 permissions, enabling any local user to replace cached responses that are deserialized via Storable::thaw. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory