What is the CVSS score of EUVD-2026-32048?

EUVD-2026-32048 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of IO::Compress are affected by EUVD-2026-32048?

The IO::Compress Perl library (versions before 2.220) contains a code injection vulnerability that allows arbitrary code execution on affected systems.. A patch is available.

IO::Compress EUVD-2026-32048

| CVE-2026-48962 HIGH

Eval Injection (CWE-95)

2026-05-27 9b29abf9-4ab0-4765-b253-1875cd9b441e

GHSA-q6wx-vhvq-x7h6

RCE Code Injection

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Source Code Evidence Fetched

May 27, 2026 - 20:59 vuln.today

Analysis Generated

May 27, 2026 - 20:59 vuln.today

Patch available

May 27, 2026 - 19:46 EUVD

DescriptionNVD

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob.

_parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl.

Arbitrary Perl in the output glob executes at the calling process's privilege.

AnalysisAI

Arbitrary Perl code execution in the IO::Compress distribution (all versions before 2.220) lets an attacker who controls the output glob string passed to the bundled File::GlobMapper run arbitrary Perl at the calling process's privilege. The output glob is wrapped in double quotes and later handed to Perl's eval STRING, so an embedded double quote escapes the string context and the trailing characters execute as code. …

RemediationAI

Within 24 hours: Inventory all systems and applications using IO::Compress and assess exposure. Within 7 days: Deploy IO::Compress version 2.220 to all affected systems in development, staging, and production. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-32048 vulnerability details – vuln.today

Back