Skip to main content

Io

4 CVEs product

Monthly

CVE-2026-48961 HIGH PATCH This Week

Denial of service in the zipdetails CLI tool bundled with Perl's IO::Compress versions 2.207 through 2.219 causes the script to abort with status 255 when parsing a ZIP archive containing an Info-ZIP Unix Extra Field (tag 0x7875) that declares an 8-byte UID or GID size. The bug is a typo in the source (calling unpackValueQ instead of unpackValue_Q), and no public exploit is identified at time of analysis; library callers of IO::Compress/IO::Uncompress are unaffected. EPSS is negligible (0.02%) and impact is limited to crashing the inspection tool, not the consuming application.

Denial Of Service Io Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-48959 HIGH PATCH This Week

Denial of service in the Perl module IO::Uncompress::Unzip before version 2.220 allows remote attackers to cause CPU exhaustion by supplying a crafted ZIP archive that triggers a per-byte read loop in the fastForward() routine. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02%, but any application that accepts untrusted ZIP files and extracts a named entry through this module is exposed to availability impact.

Information Disclosure Io Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-15649 MEDIUM PATCH This Month

Uncaught exception in IO::Uncompress::Unzip before version 2.215 for Perl causes application-level denial of service when parsing ZIP files containing malformed DOS date fields. The `_dosToUnixTime()` function calls `Time::Local::timelocal()` without an `eval` guard, so a ZIP header encoding an out-of-range month, day, or hour causes `timelocal()` to `die`, propagating the exception to the caller rather than returning `undef` with a populated `$UnzipError` as callers expect. Any Perl application that processes untrusted ZIP files locally is affected; no public exploit has been identified at time of analysis, and EPSS exploitation probability is negligible at 0.02%.

Information Disclosure Io Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2023-46122 Maven HIGH POC PATCH This Week

sbt is a build tool for Scala, Java, and others. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Path Traversal Io Sbt
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Denial of service in the zipdetails CLI tool bundled with Perl's IO::Compress versions 2.207 through 2.219 causes the script to abort with status 255 when parsing a ZIP archive containing an Info-ZIP Unix Extra Field (tag 0x7875) that declares an 8-byte UID or GID size. The bug is a typo in the source (calling unpackValueQ instead of unpackValue_Q), and no public exploit is identified at time of analysis; library callers of IO::Compress/IO::Uncompress are unaffected. EPSS is negligible (0.02%) and impact is limited to crashing the inspection tool, not the consuming application.

Denial Of Service Io Suse +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Perl module IO::Uncompress::Unzip before version 2.220 allows remote attackers to cause CPU exhaustion by supplying a crafted ZIP archive that triggers a per-byte read loop in the fastForward() routine. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02%, but any application that accepts untrusted ZIP files and extracts a named entry through this module is exposed to availability impact.

Information Disclosure Io Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uncaught exception in IO::Uncompress::Unzip before version 2.215 for Perl causes application-level denial of service when parsing ZIP files containing malformed DOS date fields. The `_dosToUnixTime()` function calls `Time::Local::timelocal()` without an `eval` guard, so a ZIP header encoding an out-of-range month, day, or hour causes `timelocal()` to `die`, propagating the exception to the caller rather than returning `undef` with a populated `$UnzipError` as callers expect. Any Perl application that processes untrusted ZIP files locally is affected; no public exploit has been identified at time of analysis, and EPSS exploitation probability is negligible at 0.02%.

Information Disclosure Io Suse +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

sbt is a build tool for Scala, Java, and others. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Path Traversal Io Sbt
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy