PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11526 RURBAN CVE debrief

CVE-2026-11526 is a vulnerability in the GD Perl library that allows for OS command injection and file overwrite. The vulnerability exists in the _make_filehandle function, which uses Perl's 2-arg open() function to open a filename argument. This allows an attacker to inject arbitrary commands or overwrite files by providing a specially crafted filename. The vulnerability affects GD Perl library versions before 2.86.

Vendor
RURBAN
Product
GD
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-14
Original CVE updated
2026-06-15
Advisory published
2026-06-14
Advisory updated
2026-06-15

Who should care

Developers and administrators who use the GD Perl library in their applications should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to GD version 2.86 or later, and ensuring that any user-inputted data is properly sanitized and validated.

Technical summary

The _make_filehandle function in the GD Perl library uses Perl's 2-arg open() function to open a filename argument. This allows an attacker to inject arbitrary commands or overwrite files by providing a specially crafted filename that begins or ends with a pipe (|) or begins with a redirect (>). The vulnerability affects all filename-accepting constructors, including new, newFromPng, and newFromJpeg.

Defensive priority

High

Recommended defensive actions

  • Upgrade to GD version 2.86 or later.
  • Ensure that any user-inputted data is properly sanitized and validated.
  • Use the in-memory *Data variants of the GD library, which are unaffected by this vulnerability.

Evidence notes

The vulnerability was reported by an unknown vendor and has been confirmed by the National Vulnerability Database (NVD).

Official resources

CVE-2026-11526 was published on 2026-06-14T12:16:22.403Z and modified on 2026-06-15T00:16:42.107Z.