Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2770 articles · 175029 vulns · 36/41 feeds (7d)
← Back to list
9.8
CVE-2026-14739EXPLOITEDPATCHED
perl · dbi

DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders

Description

DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders. The fix for CVE-2026-10879 did not allocate enough memory to handle approximately 1.2-million placeholders. DBI version 1.650 sets a hard limit of 99,999 placeholders.

Affected Products

VendorProductVersions
perldbi0

References

  • https://github.com/perl5-dbi/dbi/commit/2b77c88b655e9539a592c71a61fb965fc0075395.patch(patch)
  • https://www.cve.org/CVERecord?id=CVE-2026-10879(vendor-advisory, related)
  • https://metacpan.org/release/HMBRAND/DBI-1.650/changes(release-notes)

Related News (2 articles)

Tier A
Microsoft MSRC2d ago
CVE-2026-14739 DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders
→ No new info (linked only)
Tier C
VulDB5d ago
CVE-2026-14739 | HMBRAND DBI up to 1.649 on Perl SQL Statement Preparser out-of-bounds write
→ No new info (linked only)
CVSS 3.19.8 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
1.650
CWECWE-787
PublishedJul 7, 2026
Last enriched5d agov2
Trending Score49
Source articles2
Independent2
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

NONECVE-2026-57432EXP
Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack
Trending: 49
NONECVE-2026-13221EXP
Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk
Trending: 49
NONECVE-2026-14380EXP
DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile
Trending: 38
NONECVE-2026-14740
DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment
Trending: 35
NONECVE-2026-8450EXP
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file()
Trending: 26

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 7, 2026
Discovered by ZDM
Jul 7, 2026
Updated: description, severity, activelyExploited
Jul 8, 2026
Actively Exploited
Jul 8, 2026
Patch Available
Jul 8, 2026

Version History

v2
Last enriched 5d ago
v2Tier C5d ago

Updated description with new details, changed severity to CRITICAL, and noted that no exploit is available.

descriptionseverityactivelyExploited
via VulDB
v16d ago

Initial creation