CVE-2026-48962 PMQS CVE debrief

Who should care

Organizations running Perl applications that process compressed archives or use IO::Compress with potentially untrusted input paths; developers maintaining legacy Perl codebases; security teams monitoring for code injection in interpreted language environments

Technical summary

The vulnerability exists in File::GlobMapper's handling of output glob strings. The _parseOutputGlob() function takes a caller-supplied output glob, wraps it in double quotes, and stores it. When _getFiles() later executes eval STRING on this stored value, any embedded literal double quote in the original glob breaks out of the wrapper context. Characters following the injected quote are then evaluated as Perl code. This classic injection pattern allows complete control over the evaluated expression, leading to arbitrary code execution. The fix in version 2.220 eliminates the unsafe eval pattern.

Defensive priority

critical

Recommended defensive actions

• Upgrade IO::Compress to version 2.220 or later
• Review application code for any usage of File::GlobMapper with untrusted output glob inputs
• Apply principle of least privilege to Perl processes handling compressed archives
• Monitor for anomalous Perl eval execution in application logs
• Validate and sanitize any user-supplied glob patterns before passing to IO::Compress functions

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry published 2026-05-27. Technical details confirmed via commit patch and changelog references. Vendor attribution to PMQS (Perl module maintainer) derived from Metacpan reference with low confidence requiring review.

Official resources