CVE-2026-14740
CRITICALDBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment
Title source: cnaDescription
DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byte. The result is a fault on memory-hardened builds and nondeterministic newline retention on normal builds.
References (4)
Core 4
Core References
Vendor Advisory vendor-advisory
https://github.com/perl5-dbi/dbi/security/advisories/GHSA-35f4-f8m9-w8xg
Release Notes release-notes
https://metacpan.org/release/HMBRAND/DBI-1.650/changes
Scores
CVSS v3
9.1
EPSS
0.0019
EPSS Percentile
8.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-125
Status
published
Products (1)
HMBRAND/DBI
< 1.650
Published
Jul 07, 2026
Tracked Since
Jul 08, 2026