Skip to main content

HTML::Bare EUVDEUVD-2026-44965

| CVE-2026-57073 CRITICAL
Out-of-bounds Read (CWE-125)
2026-07-16 CPANSec GHSA-682p-jxjc-9j4v
9.1
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network-reachable if the app parses untrusted HTML (AV:N/AC:L/PR:N/UI:N), but a small bounded over-read yields only limited disclosure (C:L) and a likely crash (A:L), not high impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Source Code Evidence Fetched
Jul 17, 2026 - 13:23 vuln.today
Analysis Generated
Jul 17, 2026 - 13:23 vuln.today
CVSS changed
Jul 17, 2026 - 13:22 NVD
9.1 (CRITICAL)
CVE Published
Jul 16, 2026 - 16:15 cve.org
CRITICAL 9.1
CVE Published
Jul 16, 2026 - 16:15 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead.

The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer.

Truncated strings such as "<a/" can trigger an out-of-bounds read.

Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.

AnalysisAI

Out-of-bounds read in the HTML::Bare Perl parsing module (versions through 0.04) lets an attacker who supplies truncated or malformed HTML - such as the string "<a/" - force the C-based parserc_parse routine to read past the end of the input buffer. Because the parser performs multi-character lookahead for tokens like "<![CDATA" and element terminators ">" without bounds checks, adjacent heap memory can be disclosed or the process can crash. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit truncated HTML fragment to app
Delivery
App calls HTML::Bare parserc_parse
Exploit
Lookahead reads past buffer end
Execution
Out-of-bounds heap read
Impact
Crash or leaked memory in output

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application pass attacker-controlled input to HTML::Bare's C parser (parserc_parse). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:H, base 9.1) rates this critical on the assumption that untrusted HTML reaches the parser over the network with no authentication and yields high confidentiality and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application uses HTML::Bare to parse HTML or XML-like content submitted by users - for example an API endpoint or feed processor. An attacker submits a deliberately truncated fragment such as "<a/" or a tag missing its closing '>', causing parserc_parse to read beyond the input buffer and either crash the worker (denial of service) or leak adjacent heap bytes back into parsed output. …
Remediation Patch available per vendor advisory: apply the CPANSec-published fixes rather than waiting for a tagged release - https://security.metacpan.org/patches/H/HTML-Bare/0.02/CVE-2026-57073-r1.patch for CPAN 0.02 and https://security.metacpan.org/patches/H/HTML-Bare/0.04/CVE-2026-57073-r2.patch for the git 0.04 line, both corresponding to upstream fix PR https://github.com/nanoscopic/perl-HTML-Bare/pull/2. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems and applications using HTML::Bare module versions through 0.04 and determine exposure based on whether they process untrusted HTML. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44965 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy