CVE-2026-8500

CRITICAL

Perl Web::Passwd <= 0.03 - Command Injection Remote Code Execution

Title source: manual

Description

Web::Passwd versions through 0.03 for Perl is vulnerable to RCE. Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command. The user parameter is not validated or escaped, and is used as the last argument on the command line, allowing for command injection.

References (3)

Core 3

Core References

https://metacpan.org/release/EVANK/Web-Passwd-0.03

https://httpd.apache.org/docs/current/programs/htpasswd.html

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/13/8

Scores

CVSS v3 9.8

EPSS 0.0165

EPSS Percentile 73.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

EVANK/Web::Passwd < 0.03

Published May 13, 2026

Tracked Since May 14, 2026