oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-8500: Web::Passwd versions through 0.03 for Perl is vulnerable to RCE

From: Robert Rothenberg <rrwo () cpansec org>
Date: Wed, 13 May 2026 23:26:02 +0100
========================================================================
CVE-2026-8500                                        CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-8500
  Distribution:  Web-Passwd
      Versions:  through 0.03

      MetaCPAN:  https://metacpan.org/dist/Web-Passwd


Web::Passwd versions through 0.03 for Perl is vulnerable to RCE

Description
-----------
Web::Passwd versions through 0.03 for Perl is vulnerable to RCE.

Web::Passwd is a small CGI application for managing htpasswd files
using the htpasswd command.

The user parameter is not validated or escaped, and is used as the last
argument on the command line, allowing for command injection.

Problem types
-------------
- CWE-78 Improper Neutralization of Special Elements used in an OS
  Command

Solutions
---------
This application has not been updated since 2007 and appears to have
been abandoned. Use other solutions.


References
----------
https://metacpan.org/release/EVANK/Web-Passwd-0.03
https://httpd.apache.org/docs/current/programs/htpasswd.html

Timeline
--------
- 2007-02-08: Web::Passwd 0.03 was released
Previous By Date Next
Previous By Thread Next

Current thread: