Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-48962EXPLOITEDPATCHED

perl · io::compress

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob

Description

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.

Affected Products

Vendor	Product	Versions
perl	io::compress	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
red hat	enterprise linux	cert_advisory	90%

References

Related News (5 articles)

Tier B

BSI Advisories2d ago

[NEU] [mittel] Red Hat Enterprise Linux (perl-IO-Compress): Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes

→ No new info (linked only)

Tier B

CERT-FR18d ago

Multiples vulnérabilités dans les produits Microsoft (10 juin 2026)

→ No new info (linked only)

Tier A

Microsoft MSRC27d ago

CVE-2026-48962 IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob

→ No new info (linked only)

Tier C

VulDB31d ago

CVE-2026-48962 | PMQS IO::Compress up to 2.219 on Perl _parseOutputGlob eval injection

→ No new info (linked only)

Tier C

oss-security31d ago

CVE-2026-48962: IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob

→ No new info (linked only)

CVSS 3.17.5 HIGH

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2.220

CWECWE-95

PublishedMay 27, 2026

Last enriched2d agov4

Tags

CVE-2026-48962Red Hat

Trending Score52

Source articles5

Independent5

Info Completeness10/14

Missing: epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-11702EXP

Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes

HIGHCVE-2026-11625EXP

Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes

HIGHCVE-2026-12844EXP

List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function

NONECVE-2026-12087EXP

Socket versions before 2.041 for Perl have an out-of-bounds heap read

NONECVE-2026-9698EXP

DBI versions before 1.648 for Perl saved errors in a limited-sized buffer

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 27, 2026

Discovered by ZDM

May 27, 2026

Updated: severity, cvssEstimate, exploitAvailable, activelyExploited

May 27, 2026

Updated: severity, cweIds, tags

May 27, 2026

Actively Exploited

May 27, 2026

Exploit Available

May 27, 2026

Patch Available

May 27, 2026

Updated: severity, tags

Jun 25, 2026

Version History

v4

Last enriched 2d ago

v4Tier B2d ago

Updated vendor to Red Hat, product to Enterprise Linux, severity to HIGH, and added new tag for Red Hat.

severitytags

via BSI Advisories

v3Tier C31d ago

Updated severity to CRITICAL, added CWE-94, and included CVE-2026-48962 as a new tag.

severitycweIdstags

via VulDB

v2Tier C31d ago

Updated severity to HIGH, added CVSS estimate of 7.5, and marked the vulnerability as actively exploited with an exploit available.

severitycvssEstimateexploitAvailableactivelyExploited

via oss-security

v132d ago

Initial creation