Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled.
decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV, which evaluates SvRV(old_value) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference.
A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.
AnalysisAI
Type confusion in Cpanel::JSON::XS (Perl) versions before 4.41 allows remote attackers to crash a decoder by submitting JSON with duplicate object keys when the dupkeys_as_arrayref option is enabled. The decode_hv() routine dereferences a scalar as a reference before verifying its type, turning attacker-controlled scalar contents into a wild pointer access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Perl application explicitly enables the non-default dupkeys_as_arrayref decoder option on its Cpanel::JSON::XS instance and then decodes attacker-supplied JSON containing at least one duplicated object key whose prior value is a plain scalar rather than an arrayref. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) reflects unauthenticated network reachability with low complexity, but the L/L/L impact triad is consistent with a crash/memory corruption read rather than reliable RCE, and CISA SSVC characterizes technical impact as 'partial' with exploitation status 'none'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a small crafted JSON body such as `{"a":"AAAA","a":"BBBB"}` to a Perl-based HTTP API that decodes request bodies with Cpanel::JSON::XS configured with dupkeys_as_arrayref enabled. On the second occurrence of key `a`, decode_hv() calls SvRV() on the plain scalar `"AAAA"`, treating attacker-controlled string bytes as a pointer to an SV and crashing the worker process; repeating the request denies service. … |
| Remediation | Vendor-released patch: upgrade to Cpanel::JSON::XS 4.41 or later from CPAN (https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/changes); the upstream commit is https://github.com/rurban/Cpanel-JSON-XS/commit/11a7c550a0d8fac2f84414f24d5df9b2bfe346e2 and the oss-security announcement is at https://seclists.org/oss-sec/2026/q2/791. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running Cpanel::JSON::XS and identify current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary f
SQL injection in the cPanel/WHM sqloptimizer utility script allows attackers to execute arbitrary SQL queries as the MyS
Denial of service in the Cpanel::JSON::XS Perl module before version 4.41 allows remote attackers to crash any caller th
Privilege escalation in cPanel and WP Squared allows an authenticated team member account to elevate privileges to the t
Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on
Same technique Denial Of Service
View allVendor StatusVendor
Debian
Bug #1138273| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 4.25-1 | - |
| bullseye (security) | vulnerable | 4.25-1+deb11u1 | - |
| bookworm, bookworm (security) | vulnerable | 4.35-1+deb12u1 | - |
| trixie (security), trixie | vulnerable | 4.39-2~deb13u1 | - |
| forky, sid | fixed | 4.41-1 | - |
| (unstable) | fixed | 4.41-1 | - |
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34060
GHSA-qfqj-xxqv-cxfw