{"url":"http://public2.vulnerablecode.io/api/packages/53748?format=json","purl":"pkg:deb/debian/libio-compress-perl@2.101-1?distro=trixie","type":"deb","namespace":"debian","name":"libio-compress-perl","version":"2.101-1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.217-1","latest_non_vulnerable_version":"2.220-1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80390?format=json","vulnerability_id":"VCID-tter-nwjj-8yc6","summary":"IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward.\n\nfastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration.\n\nExtracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-48959","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15857","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15997","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-48959"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48959","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48959"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138051","reference_id":"1138051","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138051"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138856","reference_id":"1138856","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138856"},{"reference_url":"https://github.com/pmqs/IO-Compress/commit/68db44076f4c1a86a2ffe53a958eac6cabaf72e2.patch","reference_id":"68db44076f4c1a86a2ffe53a958eac6cabaf72e2.patch","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:50:09Z/"}],"url":"https://github.com/pmqs/IO-Compress/commit/68db44076f4c1a86a2ffe53a958eac6cabaf72e2.patch"},{"reference_url":"https://metacpan.org/release/PMQS/IO-Compress-2.220/changes","reference_id":"changes","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:50:09Z/"}],"url":"https://metacpan.org/release/PMQS/IO-Compress-2.220/changes"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53751?format=json","purl":"pkg:deb/debian/libio-compress-perl@2.220-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libio-compress-perl@2.220-1%3Fdistro=trixie"}],"aliases":["CVE-2026-48959"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tter-nwjj-8yc6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80493?format=json","vulnerability_id":"VCID-xx6w-r4n4-y3et","summary":"IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob.\n\n_parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl.\n\nArbitrary Perl in the output glob executes at the calling process's privilege.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-48962.json","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-48962.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-48962","reference_id":"","reference_type":"","scores":[{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.2414","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.23941","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-48962"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48962","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48962"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138055","reference_id":"1138055","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138055"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138854","reference_id":"1138854","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138854"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2481767","reference_id":"2481767","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2481767"},{"reference_url":"https://metacpan.org/release/PMQS/IO-Compress-2.220/changes","reference_id":"changes","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-27T16:01:45Z/"}],"url":"https://metacpan.org/release/PMQS/IO-Compress-2.220/changes"},{"reference_url":"https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch","reference_id":"f2db247bf90d4cc7ee2710be384946081f3b4610.patch","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-27T16:01:45Z/"}],"url":"https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53751?format=json","purl":"pkg:deb/debian/libio-compress-perl@2.220-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libio-compress-perl@2.220-1%3Fdistro=trixie"}],"aliases":["CVE-2026-48962"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"7.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xx6w-r4n4-y3et"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22659?format=json","vulnerability_id":"VCID-yb2u-p5jv-b7d1","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-15649","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02128","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02132","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-15649"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15649","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15649"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138863","reference_id":"1138863","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138863"},{"reference_url":"https://github.com/pmqs/IO-Compress/issues/65","reference_id":"65","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:48:49Z/"}],"url":"https://github.com/pmqs/IO-Compress/issues/65"},{"reference_url":"https://metacpan.org/release/PMQS/IO-Compress-2.215/changes","reference_id":"changes","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:48:49Z/"}],"url":"https://metacpan.org/release/PMQS/IO-Compress-2.215/changes"},{"reference_url":"https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8.patch","reference_id":"fd28c1d2374eee9811f6d0c5bddc0957abdf1da8.patch","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:48:49Z/"}],"url":"https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8.patch"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53752?format=json","purl":"pkg:deb/debian/libio-compress-perl@2.217-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libio-compress-perl@2.217-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/53751?format=json","purl":"pkg:deb/debian/libio-compress-perl@2.220-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libio-compress-perl@2.220-1%3Fdistro=trixie"}],"aliases":["CVE-2025-15649"],"risk_score":2.5,"exploitability":"0.5","weighted_severity":"5.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yb2u-p5jv-b7d1"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80550?format=json","vulnerability_id":"VCID-w6rm-6jj7-mucf","summary":"IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID.\n\nWhen decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255.\n\nLibrary callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-48961","reference_id":"","reference_type":"","scores":[{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15438","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15573","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-48961"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48961","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48961"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138052","reference_id":"1138052","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138052"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138855","reference_id":"1138855","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138855"},{"reference_url":"https://github.com/pmqs/IO-Compress/commit/33c89d03d6e746ed2ead4f2f6570d47864c61bc7.patch","reference_id":"33c89d03d6e746ed2ead4f2f6570d47864c61bc7.patch","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:51:41Z/"}],"url":"https://github.com/pmqs/IO-Compress/commit/33c89d03d6e746ed2ead4f2f6570d47864c61bc7.patch"},{"reference_url":"https://metacpan.org/release/PMQS/IO-Compress-2.220/changes","reference_id":"changes","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:51:41Z/"}],"url":"https://metacpan.org/release/PMQS/IO-Compress-2.220/changes"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53753?format=json","purl":"pkg:deb/debian/libio-compress-perl@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libio-compress-perl@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/53748?format=json","purl":"pkg:deb/debian/libio-compress-perl@2.101-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-tter-nwjj-8yc6"},{"vulnerability":"VCID-xx6w-r4n4-y3et"},{"vulnerability":"VCID-yb2u-p5jv-b7d1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libio-compress-perl@2.101-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/53749?format=json","purl":"pkg:deb/debian/libio-compress-perl@2.204-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-tter-nwjj-8yc6"},{"vulnerability":"VCID-xx6w-r4n4-y3et"},{"vulnerability":"VCID-yb2u-p5jv-b7d1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libio-compress-perl@2.204-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/53751?format=json","purl":"pkg:deb/debian/libio-compress-perl@2.220-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libio-compress-perl@2.220-1%3Fdistro=trixie"}],"aliases":["CVE-2026-48961"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w6rm-6jj7-mucf"}],"risk_score":"3.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libio-compress-perl@2.101-1%3Fdistro=trixie"}