Dbi
Monthly
Out-of-bounds read in the Perl DBI (Database Independent Interface) module before version 1.651 lets a caller trigger a negative-array-index read inside the internal row-buffer helper (_set_fbav in DBI.xs), potentially disclosing adjacent process memory or crashing the interpreter. The flaw arises when a statement handle declares zero fields but is fed a non-empty source row, an inconsistency the module failed to reject before returning results. No public exploit has been identified at time of analysis and the issue is not on CISA KEV; the assigned CVSS of 9.1 reflects high confidentiality and availability impact under a network vector, but realistic exploitation depends on a caller (typically a DBD driver or database backend) supplying mismatched metadata and rows.
Memory-exhaustion denial of service in the DBI::ProfileData module (bundled with Perl DBI) before version 1.651 allows an attacker who supplies a crafted profile dump file to force the parser into allocating an oversized array. Because the path-index column is read directly from an untrusted file and used to size an in-memory array, a tiny malicious file can amplify into large memory consumption (CWE-770). There is no public exploit identified at time of analysis and it is not in CISA KEV, but a vendor patch and root-cause commit are available.
Incorrect WHERE-clause evaluation in Perl's DBI::SQL::Nano (versions 1.42 up to 1.651) causes text-based '<=' and '>=' comparisons to be silently inverted, so range-filtered queries return the wrong set of rows. The flaw affects DBI's built-in fallback mini-SQL engine used by file-backed drivers (DBD::File, DBD::DBM, CSV-style) when SQL::Statement is absent, and applications that rely on such predicates for policy or authorization filtering may leak or mishandle records without any error. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; the fix is available upstream in DBI 1.651.
Out-of-bounds read in the Perl DBI module's preparse() SQL-normalisation routine allows an attacker who controls SQL passed to the method (where the statement begins with a comment line) to trigger a one-byte read past a buffer, in all DBI releases before 1.650. On memory-hardened builds this faults and crashes the process (availability impact); on normal builds it produces nondeterministic newline retention. This is a CWE-125 flaw reported by CPANSec with no public exploit identified at time of analysis; EPSS is low at 0.19% (8th percentile) and it is not in CISA KEV.
Heap out-of-bounds write in the Perl DBI database-interface module before version 1.650 occurs when DBI preparses a SQL statement containing an extreme number of placeholders. This is a regression: the fix for CVE-2026-10879 under-allocated the placeholder buffer and could not accommodate roughly 1.2 million placeholders, so DBI 1.650 now enforces a hard cap of 99,999 placeholders. Reported by CPANSec with a vendor patch available; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.19%, 8th percentile).
DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name. Any caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands. The Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=>SPEC):db. An attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host.
Stack-based buffer overflow in Perl DBI module versions prior to 1.648 allows attackers who can influence database error message content to corrupt memory via a fixed 200-byte stack buffer used during error formatting. The flaw is triggered when applications enable RaiseError, PrintError, or HandleError handlers - a near-universal configuration in production Perl database code. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02% despite the CVSS 9.8 rating.
Heap buffer overflow in the Perl DBI module versions before 1.648 occurs when the preparse() function processes SQL statements containing 10 or more placeholder binders. The fixed-size buffer allocation (three characters per binder) is insufficient for multi-digit binder names like :p10 through :p99 (four chars) or :p100+ (five chars), enabling memory corruption. EPSS rates exploitation probability at only 0.02% (5th percentile) and no public exploit identified at time of analysis, but the upstream maintainer has shipped a fix expanding the allocation.
Out-of-bounds read in the Perl DBI (Database Independent Interface) module before version 1.651 lets a caller trigger a negative-array-index read inside the internal row-buffer helper (_set_fbav in DBI.xs), potentially disclosing adjacent process memory or crashing the interpreter. The flaw arises when a statement handle declares zero fields but is fed a non-empty source row, an inconsistency the module failed to reject before returning results. No public exploit has been identified at time of analysis and the issue is not on CISA KEV; the assigned CVSS of 9.1 reflects high confidentiality and availability impact under a network vector, but realistic exploitation depends on a caller (typically a DBD driver or database backend) supplying mismatched metadata and rows.
Memory-exhaustion denial of service in the DBI::ProfileData module (bundled with Perl DBI) before version 1.651 allows an attacker who supplies a crafted profile dump file to force the parser into allocating an oversized array. Because the path-index column is read directly from an untrusted file and used to size an in-memory array, a tiny malicious file can amplify into large memory consumption (CWE-770). There is no public exploit identified at time of analysis and it is not in CISA KEV, but a vendor patch and root-cause commit are available.
Incorrect WHERE-clause evaluation in Perl's DBI::SQL::Nano (versions 1.42 up to 1.651) causes text-based '<=' and '>=' comparisons to be silently inverted, so range-filtered queries return the wrong set of rows. The flaw affects DBI's built-in fallback mini-SQL engine used by file-backed drivers (DBD::File, DBD::DBM, CSV-style) when SQL::Statement is absent, and applications that rely on such predicates for policy or authorization filtering may leak or mishandle records without any error. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; the fix is available upstream in DBI 1.651.
Out-of-bounds read in the Perl DBI module's preparse() SQL-normalisation routine allows an attacker who controls SQL passed to the method (where the statement begins with a comment line) to trigger a one-byte read past a buffer, in all DBI releases before 1.650. On memory-hardened builds this faults and crashes the process (availability impact); on normal builds it produces nondeterministic newline retention. This is a CWE-125 flaw reported by CPANSec with no public exploit identified at time of analysis; EPSS is low at 0.19% (8th percentile) and it is not in CISA KEV.
Heap out-of-bounds write in the Perl DBI database-interface module before version 1.650 occurs when DBI preparses a SQL statement containing an extreme number of placeholders. This is a regression: the fix for CVE-2026-10879 under-allocated the placeholder buffer and could not accommodate roughly 1.2 million placeholders, so DBI 1.650 now enforces a hard cap of 99,999 placeholders. Reported by CPANSec with a vendor patch available; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.19%, 8th percentile).
DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name. Any caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands. The Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=>SPEC):db. An attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host.
Stack-based buffer overflow in Perl DBI module versions prior to 1.648 allows attackers who can influence database error message content to corrupt memory via a fixed 200-byte stack buffer used during error formatting. The flaw is triggered when applications enable RaiseError, PrintError, or HandleError handlers - a near-universal configuration in production Perl database code. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02% despite the CVSS 9.8 rating.
Heap buffer overflow in the Perl DBI module versions before 1.648 occurs when the preparse() function processes SQL statements containing 10 or more placeholder binders. The fixed-size buffer allocation (three characters per binder) is insufficient for multi-digit binder names like :p10 through :p99 (four chars) or :p100+ (five chars), enabling memory corruption. EPSS rates exploitation probability at only 0.02% (5th percentile) and no public exploit identified at time of analysis, but the upstream maintainer has shipped a fix expanding the allocation.