CVE-2026-14380
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
07/07/2026
Última modificación:
08/07/2026
Descripción
*** Pendiente de traducción *** DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile.<br />
<br />
When a string is assigned to a DBI handle&#39;s Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name.<br />
<br />
Any caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands.<br />
<br />
The Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=>SPEC):db.<br />
<br />
An attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host.



