CVE-2026-48962

HIGH

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-48962. PoCs published by JoakimBulow.

AI-analyzed exploit summary The repository contains a functional exploit PoC for CVE-2026-48962, demonstrating an eval injection vulnerability in `File::GlobMapper::_getFiles()` that allows arbitrary Perl code execution via crafted fileglob arguments in `IO::Compress::*` functions.

Description

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.

Exploits (1)

github WORKING POC

by JoakimBulow · poc

https://github.com/JoakimBulow/CVE-2026-48962

View Code ZIP pw:eip

The repository contains a functional exploit PoC for CVE-2026-48962, demonstrating an eval injection vulnerability in `File::GlobMapper::_getFiles()` that allows arbitrary Perl code execution via crafted fileglob arguments in `IO::Compress::*` functions.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: IO-Compress (File::GlobMapper) versions up to 2.219

No auth needed

Prerequisites: Ability to control the output fileglob argument passed to `IO::Compress::*` functions

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 10, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/27/4

Patch patch

https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch

Release Notes release-notes

https://metacpan.org/release/PMQS/IO-Compress-2.220/changes

Scores

CVSS v3 7.3

EPSS 0.0008

EPSS Percentile 24.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-95

Status published

Products (1)

PMQS/IO::Compress < 2.220

Published May 27, 2026

Tracked Since May 27, 2026