CVE-2026-14380 (GCVE-0-2026-14380)

Vulnerability from cvelistv5 – Published: 2026-07-07 22:04 – Updated: 2026-07-08 00:28
VLAI
Title
DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile
Summary
DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name. Any caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands. The Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=>SPEC):db. An attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host.
Severity
No CVSS data available.
CWE
  • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection)
Assigner
Impacted products
Vendor Product Version
HMBRAND DBI Affected: 0 , < 1.650 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-07-08T00:28:31.619Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/07/07/16"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "DBI",
          "product": "DBI",
          "programFiles": [
            "lib/DBI/Profile.pm"
          ],
          "programRoutines": [
            {
              "name": "DBI::Profile::_auto_new"
            }
          ],
          "repo": "https://github.com/perl5-dbi/dbi",
          "vendor": "HMBRAND",
          "versions": [
            {
              "lessThan": "1.650",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile.\n\nWhen a string is assigned to a DBI handle\u0027s Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name.\n\nAny caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands.\n\nThe Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=\u003eSPEC):db.\n\nAn attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-242",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-242 Code Injection"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-07T22:04:49.078Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/perl5-dbi/dbi/commit/b73d5d9901767fc1d16b6661ef08fbed4532e259.patch"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/perl5-dbi/dbi/security/advisories/GHSA-ch8w-hxc2-v557"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/HMBRAND/DBI-1.650/changes"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to DBI version 1.650 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile",
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-14380",
    "datePublished": "2026-07-07T22:04:49.078Z",
    "dateReserved": "2026-07-01T21:17:54.504Z",
    "dateUpdated": "2026-07-08T00:28:31.619Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-14380",
      "date": "2026-07-08",
      "epss": "0.00237",
      "percentile": "0.14591"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-14380\",\"sourceIdentifier\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"published\":\"2026-07-07T23:16:53.963\",\"lastModified\":\"2026-07-08T01:16:26.117\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile.\\n\\nWhen a string is assigned to a DBI handle\u0027s Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name.\\n\\nAny caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands.\\n\\nThe Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=\u003eSPEC):db.\\n\\nAn attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host.\"}],\"affected\":[{\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"affectedData\":[{\"vendor\":\"HMBRAND\",\"product\":\"DBI\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://cpan.org/modules\",\"packageName\":\"DBI\",\"programFiles\":[\"lib/DBI/Profile.pm\"],\"programRoutines\":[{\"name\":\"DBI::Profile::_auto_new\"}],\"repo\":\"https://github.com/perl5-dbi/dbi\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"1.650\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]}],\"metrics\":{},\"weaknesses\":[{\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-95\"}]}],\"references\":[{\"url\":\"https://github.com/perl5-dbi/dbi/commit/b73d5d9901767fc1d16b6661ef08fbed4532e259.patch\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\"},{\"url\":\"https://github.com/perl5-dbi/dbi/security/advisories/GHSA-ch8w-hxc2-v557\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\"},{\"url\":\"https://metacpan.org/release/HMBRAND/DBI-1.650/changes\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/07/07/16\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…