{"url":"http://public2.vulnerablecode.io/api/packages/196385?format=json","purl":"pkg:deb/debian/libhttp-daemon-perl@6.12-1%2Bdeb11u1","type":"deb","namespace":"debian","name":"libhttp-daemon-perl","version":"6.12-1+deb11u1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.17-1","latest_non_vulnerable_version":"6.17-1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/76288?format=json","vulnerability_id":"VCID-ekvh-gemg-vuf8","summary":"HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().  send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.  Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-8450","reference_id":"","reference_type":"","scores":[{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.4644","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46405","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46395","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46421","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46441","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-8450"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8450","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8450"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138050","reference_id":"1138050","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138050"},{"reference_url":"https://github.com/libwww-perl/HTTP-Daemon/pull/89","reference_id":"89","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-27T15:46:44Z/"}],"url":"https://github.com/libwww-perl/HTTP-Daemon/pull/89"},{"reference_url":"https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch","reference_id":"945d35141d94490f749640bd4390acd6a2193995.patch","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-27T15:46:44Z/"}],"url":"https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch"},{"reference_url":"https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes","reference_id":"changes","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-27T15:46:44Z/"}],"url":"https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196387?format=json","purl":"pkg:deb/debian/libhttp-daemon-perl@6.17-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libhttp-daemon-perl@6.17-1"}],"aliases":["CVE-2026-8450"],"risk_score":4.1,"exploitability":"0.5","weighted_severity":"8.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ekvh-gemg-vuf8"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/76287?format=json","vulnerability_id":"VCID-hey3-w3s3-47gt","summary":"HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on top of Nginx or Apache, not on the `HTTP::Daemon`. This library is commonly used for local development and tests. Users are advised to update to resolve this issue. Users unable to upgrade may add additional request handling logic as a mitigation. After calling `my $rqst = $conn->get_request()` one could inspect the returned `HTTP::Request` object. Querying the 'Content-Length' (`my $cl = $rqst->header('Content-Length')`) will show any abnormalities that should be dealt with by a `400` response. Expected strings of 'Content-Length' SHOULD consist of either a single non-negative integer, or, a comma separated repetition of that number. (that is `42` or `42, 42, 42`). Anything else MUST be rejected.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-31081.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-31081.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31081","reference_id":"","reference_type":"","scores":[{"value":"0.00531","scoring_system":"epss","scoring_elements":"0.67639","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00531","scoring_system":"epss","scoring_elements":"0.67618","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00531","scoring_system":"epss","scoring_elements":"0.67658","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00531","scoring_system":"epss","scoring_elements":"0.67665","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00531","scoring_system":"epss","scoring_elements":"0.67655","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31081"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31081","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31081"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014808","reference_id":"1014808","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014808"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2105085","reference_id":"2105085","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2105085"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U4XEPZ5Q3LNOQF3E6EXFWVSEXU5IZ6T/","reference_id":"7U4XEPZ5Q3LNOQF3E6EXFWVSEXU5IZ6T","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:40:42Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7U4XEPZ5Q3LNOQF3E6EXFWVSEXU5IZ6T/"},{"reference_url":"https://github.com/libwww-perl/HTTP-Daemon/commit/8dc5269d59e2d5d9eb1647d82c449ccd880f7fd0","reference_id":"8dc5269d59e2d5d9eb1647d82c449ccd880f7fd0","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:40:42Z/"}],"url":"https://github.com/libwww-perl/HTTP-Daemon/commit/8dc5269d59e2d5d9eb1647d82c449ccd880f7fd0"},{"reference_url":"https://github.com/libwww-perl/HTTP-Daemon/commit/e84475de51d6fd7b29354a997413472a99db70b2","reference_id":"e84475de51d6fd7b29354a997413472a99db70b2","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:40:42Z/"}],"url":"https://github.com/libwww-perl/HTTP-Daemon/commit/e84475de51d6fd7b29354a997413472a99db70b2"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ECJ4ZPBQWD3B2CD6RRIVMENB5KUOJ3LC/","reference_id":"ECJ4ZPBQWD3B2CD6RRIVMENB5KUOJ3LC","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:40:42Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ECJ4ZPBQWD3B2CD6RRIVMENB5KUOJ3LC/"},{"reference_url":"https://github.com/libwww-perl/HTTP-Daemon/security/advisories/GHSA-cg8c-pxmv-w7cf","reference_id":"GHSA-cg8c-pxmv-w7cf","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:40:42Z/"}],"url":"https://github.com/libwww-perl/HTTP-Daemon/security/advisories/GHSA-cg8c-pxmv-w7cf"},{"reference_url":"http://metacpan.org/release/HTTP-Daemon/","reference_id":"HTTP-Daemon","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:40:42Z/"}],"url":"http://metacpan.org/release/HTTP-Daemon/"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00038.html","reference_id":"msg00038.html","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:40:42Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00038.html"},{"reference_url":"https://datatracker.ietf.org/doc/html/rfc7230#section-9.5","reference_id":"rfc7230#section-9.5","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:40:42Z/"}],"url":"https://datatracker.ietf.org/doc/html/rfc7230#section-9.5"},{"reference_url":"https://usn.ubuntu.com/5520-1/","reference_id":"USN-5520-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5520-1/"},{"reference_url":"https://usn.ubuntu.com/5520-2/","reference_id":"USN-5520-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5520-2/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQBW2D43TDNYX4R2YBTNNZDBNZ45DINN/","reference_id":"XQBW2D43TDNYX4R2YBTNNZDBNZ45DINN","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:40:42Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQBW2D43TDNYX4R2YBTNNZDBNZ45DINN/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196385?format=json","purl":"pkg:deb/debian/libhttp-daemon-perl@6.12-1%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ekvh-gemg-vuf8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libhttp-daemon-perl@6.12-1%252Bdeb11u1"}],"aliases":["CVE-2022-31081"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hey3-w3s3-47gt"}],"risk_score":"4.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libhttp-daemon-perl@6.12-1%252Bdeb11u1"}