Skip to main content

Plack

4 CVEs product

Monthly

CVE-2026-9658 HIGH PATCH This Week

Header injection filtering bypass in Plack::Middleware::Security::Common (Perl) versions prior to 0.13.1 allows remote attackers to smuggle CRLF sequences and additional headers through request paths that are not double-encoded. The flaw weakens a security middleware specifically designed to prevent header injection, and while EPSS sits at 0.03% (9th percentile) with no public exploit identified at time of analysis, downstream impact depends on how reverse proxies and Plack-based servers handle the unblocked CRLF payloads.

Code Injection Plack
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-45179 MEDIUM PATCH This Month

Plack::Middleware::Statsd versions before 0.9.0 leak user IP addresses to unsecured statsd daemons via unencrypted UDP communication. Remote unauthenticated attackers on the same network as the statsd daemon can intercept plaintext IP addresses transmitted by the middleware. Version 0.9.0 and later disable IP logging by default and use HMAC signatures when logging is enabled, eliminating the exposure.

Information Disclosure Plack
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2014-125112 CRITICAL PATCH Act Now

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization RCE Plack
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2014-5269 MEDIUM PATCH This Month

Plack::App::File in Plack before 1.0031 removes trailing slash characters from paths, which allows remote attackers to bypass the whitelist of generated files and obtain sensitive information via a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Plack
NVD GitHub
CVSS 2.0
5.0
EPSS
0.5%
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Header injection filtering bypass in Plack::Middleware::Security::Common (Perl) versions prior to 0.13.1 allows remote attackers to smuggle CRLF sequences and additional headers through request paths that are not double-encoded. The flaw weakens a security middleware specifically designed to prevent header injection, and while EPSS sits at 0.03% (9th percentile) with no public exploit identified at time of analysis, downstream impact depends on how reverse proxies and Plack-based servers handle the unblocked CRLF payloads.

Code Injection Plack
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Plack::Middleware::Statsd versions before 0.9.0 leak user IP addresses to unsecured statsd daemons via unencrypted UDP communication. Remote unauthenticated attackers on the same network as the statsd daemon can intercept plaintext IP addresses transmitted by the middleware. Version 0.9.0 and later disable IP logging by default and use HMAC signatures when logging is enabled, eliminating the exposure.

Information Disclosure Plack
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization RCE Plack
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Plack::App::File in Plack before 1.0031 removes trailing slash characters from paths, which allows remote attackers to bypass the whitelist of generated files and obtain sensitive information via a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Plack
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy