{"url":"http://public2.vulnerablecode.io/api/packages/195753?format=json","purl":"pkg:deb/debian/libcrypt-openssl-pkcs12-perl@1.94-1","type":"deb","namespace":"debian","name":"libcrypt-openssl-pkcs12-perl","version":"1.94-1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.95-1","latest_non_vulnerable_version":"1.95-1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75768?format=json","vulnerability_id":"VCID-eeug-5k5g-8uau","summary":"Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs.  Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen.  The Perl length is discarded.  The C code (or OpenSSL internally) calls strlen() on the buffer.  Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-8721","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05721","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05679","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05714","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05735","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05722","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-8721"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8721","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8721"},{"reference_url":"https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md","reference_id":"Changes.md","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-18T12:56:25Z/"}],"url":"https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195754?format=json","purl":"pkg:deb/debian/libcrypt-openssl-pkcs12-perl@1.95-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libcrypt-openssl-pkcs12-perl@1.95-1"}],"aliases":["CVE-2026-8721"],"risk_score":2.5,"exploitability":"0.5","weighted_severity":"4.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eeug-5k5g-8uau"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75766?format=json","vulnerability_id":"VCID-tzea-v2u9-eqfa","summary":"Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out-of-bounds (OOB) write flaws.  When parsing a PKCS12 file, with a >= 1 GiB OCTET STRING (or BIT STRING) attribute on a SAFEBAG, via info() or info_as_hash(), a heap out-of-bounds write would be triggered with remote-code-execution potential (RCE) due to a signed integer overflow in the size calculation passed to Renew().","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-8507","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16419","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16311","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16292","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16373","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16417","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-8507"},{"reference_url":"https://github.com/dsully/perl-crypt-openssl-pkcs12/issues/55","reference_id":"55","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-18T12:54:57Z/"}],"url":"https://github.com/dsully/perl-crypt-openssl-pkcs12/issues/55"},{"reference_url":"https://github.com/dsully/perl-crypt-openssl-pkcs12/issues/56","reference_id":"56","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-18T12:54:57Z/"}],"url":"https://github.com/dsully/perl-crypt-openssl-pkcs12/issues/56"},{"reference_url":"https://github.com/dsully/perl-crypt-openssl-pkcs12/commit/b9d0469c6d8f5b5c6c2a45a3d0647a532b749397.patch","reference_id":"b9d0469c6d8f5b5c6c2a45a3d0647a532b749397.patch","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-18T12:54:57Z/"}],"url":"https://github.com/dsully/perl-crypt-openssl-pkcs12/commit/b9d0469c6d8f5b5c6c2a45a3d0647a532b749397.patch"},{"reference_url":"https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md","reference_id":"Changes.md","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-18T12:54:57Z/"}],"url":"https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/195754?format=json","purl":"pkg:deb/debian/libcrypt-openssl-pkcs12-perl@1.95-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libcrypt-openssl-pkcs12-perl@1.95-1"}],"aliases":["CVE-2026-8507"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tzea-v2u9-eqfa"}],"fixing_vulnerabilities":[],"risk_score":"4.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libcrypt-openssl-pkcs12-perl@1.94-1"}