彙總 Perl 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
歷史漏洞主要涉及 緩衝區溢位與記憶體損壞 等問題,部分漏洞可能導致 記憶體損壞,並影響 軟體部署與生產負載 相關場景。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-9698 | DBI versions before 1.648 for Perl saved errors in a limited-sized buffer. Error messages that were returned when RaiseError, PrintError or HandleError were set were written to a 200-byte buffer without a length limit. Attackers that can influence the error text in an application can trigger a buffer overflow. | 9b29abf9-4ab0-4765-b253-1875cd9b441e | 9.8 | 0.42% | 2026-06-09 | 2026-06-17 |
| CVE-2026-10879 | DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera. | 9b29abf9-4ab0-4765-b253-1875cd9b441e | 9.8 | 0.43% | 2026-06-05 | 2026-06-17 |
| CVE-2026-8376 | Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an att | 9b29abf9-4ab0-4765-b253-1875cd9b441e | 9.8 | 0.40% | 2026-05-25 | 2026-06-17 |
| CVE-2026-4176 | Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94. | 9b29abf9-4ab0-4765-b253-1875cd9b441e | 9.8 | 0.68% | 2026-03-29 | 2026-06-17 |
| CVE-2024-56406 | A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`. $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code | 9b29abf9-4ab0-4765-b253-1875cd9b441e | 8.4 | 0.47% | 2025-04-13 | 2026-06-17 |
| CVE-2023-47039 | A vulnerability was found in Perl. This security issue occurs while Perl for Windows relies on the system path environment variable to find the shell (`cmd.exe`). When running an executable that uses the Windows Perl interpreter, Perl attempts to find and execute `cmd.exe` within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. This flaw allows an attacker with limited privileges to place`cmd.exe` in locations with | [email protected] | 7.8 | 0.41% | 2024-01-02 | 2026-06-17 |
| CVE-2023-47038 | A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer. | [email protected] | 7.0 | 0.83% | 2023-12-18 | 2026-06-17 |
| CVE-2022-48522 | In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation. | [email protected] | 9.8 | 2.05% | 2023-08-22 | 2026-06-17 |
| CVE-2023-31486 | HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. | [email protected] | 8.1 | 1.73% | 2023-04-28 | 2026-06-17 |
| CVE-2023-31484 | CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. | [email protected] | 8.1 | 1.56% | 2023-04-28 | 2026-06-17 |
| CVE-2020-16156 | CPAN 2.28 allows Signature Verification Bypass. | [email protected] | 7.8 | 0.79% | 2021-12-13 | 2026-06-16 |
| CVE-2019-20919 | An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference. | [email protected] | 4.7 | 0.51% | 2020-09-17 | 2026-06-16 |
| CVE-2014-10402 | An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of an incomplete fix for CVE-2014-10401. | [email protected] | 6.1 | 0.49% | 2020-09-16 | 2026-06-16 |
| CVE-2020-14393 | A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data. | [email protected] | 7.1 | 0.60% | 2020-09-16 | 2026-06-16 |
| CVE-2020-14392 | An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability. | [email protected] | 5.5 | 0.55% | 2020-09-16 | 2026-06-16 |
| CVE-2014-10401 | An issue was discovered in the DBI module before 1.632 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute. | [email protected] | 6.1 | 0.44% | 2020-09-11 | 2026-06-16 |
| CVE-2013-7491 | An issue was discovered in the DBI module before 1.628 for Perl. Stack corruption occurs when a user-defined function requires a non-trivial amount of memory and the Perl stack gets reallocated. | [email protected] | 5.3 | 2.66% | 2020-09-11 | 2026-06-16 |
| CVE-2013-7490 | An issue was discovered in the DBI module before 1.632 for Perl. Using many arguments to methods for Callbacks may lead to memory corruption. | [email protected] | 5.3 | 2.74% | 2020-09-11 | 2026-06-16 |
| CVE-2020-12723 | regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls. | [email protected] | 7.5 | 5.97% | 2020-06-05 | 2026-06-16 |
| CVE-2020-10878 | Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection. | [email protected] | 8.6 | 4.92% | 2020-06-05 | 2026-06-16 |