Perl

This hub aggregates every CVE we track for Perl, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Perl.

• CVE-2026-8376Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds9.8May 25, 2026
• CVE-2026-4176Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib9.8Mar 29, 2026
• CVE-2025-40918Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely6.5Jul 16, 2025
• CVE-2025-40909Perl threads have a working directory race condition where file operations may target unintended paths5.9May 30, 2025
• CVE-2024-56406Perl is vulnerable to a heap buffer overflow when transliterating non-ASCII bytes8.4Apr 13, 2025
• CVE-2025-1860Data::Entropy for Perl uses insecure rand() function for cryptographic functions7.7Mar 28, 2025
• CVE-2023-47039Perl: perl for windows binary hijacking vulnerability7.8Jan 2, 2024
• CVE-2023-47038Perl: write past buffer end via illegal user-defined unicode property7.0Dec 18, 2023
• CVE-2022-48522In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.9.8Aug 22, 2023
• CVE-2023-31486HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.8.1Apr 28, 2023
• CVE-2023-31484CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.8.1Apr 28, 2023
• BDU:2023-00622Уязвимость функции pp_select () интерпретатора Perl, позволяющая нарушителю вызвать отказ в обслуживании4.4Feb 8, 2023
• CVE-2020-16156CPAN 2.28 allows Signature Verification Bypass.7.8Dec 13, 2021
• CVE-2021-36770Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic modul...7.8Aug 11, 2021
• CVE-2019-20919An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), cau...4.7Sep 17, 2020