Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2770 articles · 175029 vulns · 36/41 feeds (7d)
← Back to list
7.5
CVE-2026-14380EXPLOITEDPATCHED
perl · dbi

DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile

Description

DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name. Any caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands. The Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=>SPEC):db. An attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host.

Affected Products

VendorProductVersions
perldbi0

References

  • https://github.com/perl5-dbi/dbi/commit/b73d5d9901767fc1d16b6661ef08fbed4532e259.patch(patch)
  • https://github.com/perl5-dbi/dbi/security/advisories/GHSA-ch8w-hxc2-v557(vendor-advisory)
  • https://metacpan.org/release/HMBRAND/DBI-1.650/changes(release-notes)

Related News (3 articles)

Tier A
Microsoft MSRC2d ago
CVE-2026-14380 DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile
→ No new info (linked only)
Tier C
VulDB6d ago
CVE-2026-14380 | DBI up to 1.649 Profile code injection
→ No new info (linked only)
Tier C
oss-security6d ago
CVE-2026-14380: DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile
→ No new info (linked only)
CVSS 3.17.5 NONE
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
1.650
CWECWE-95
PublishedJul 7, 2026
Last enriched6d agov3
Tags
CVE-2026-14380
Trending Score38
Source articles3
Independent3
Info Completeness9/14
Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-14739EXP
DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders
Trending: 49
NONECVE-2026-57432EXP
Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack
Trending: 49
NONECVE-2026-13221EXP
Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk
Trending: 49
NONECVE-2026-14740
DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment
Trending: 35
NONECVE-2026-8450EXP
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file()
Trending: 26

Pin to Dashboard

Verification

State: verified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 7, 2026
Discovered by ZDM
Jul 7, 2026
Updated: cvssEstimate, tags
Jul 7, 2026
Updated: severity, activelyExploited
Jul 7, 2026
Actively Exploited
Jul 9, 2026
Patch Available
Jul 9, 2026

Version History

v3
Last enriched 6d ago
v3Tier C6d ago

Updated severity to CRITICAL and marked the vulnerability as actively exploited.

severityactivelyExploited
via VulDB
v2Tier C6d ago

Updated description with more technical detail, changed severity to HIGH, set CVSS estimate to 7.5, marked exploit as available and actively exploited, and added CVE ID as a tag.

cvssEstimatetags
via oss-security
v16d ago

Initial creation