PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11527 SHLOMIF CVE debrief

CVE-2026-11527 is a vulnerability in Config::IniFiles versions before 3.001000 for Perl. The vulnerability allows for OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle. This occurs because Config::IniFiles::_make_filehandle opens a filename argument with Perl's 2-arg open(), allowing a filename that begins or ends with a pipe ( '| cmd', 'cmd |' ) or begins with a redirect ( '> path', '>> path' ) to be run as a command or redirect rather than opened as a file. Any caller that forwards untrusted input to the -file argument can run an arbitrary command or truncate a file under the process UID.

Vendor
SHLOMIF
Product
Config::IniFiles
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-14
Original CVE updated
2026-06-15
Advisory published
2026-06-14
Advisory updated
2026-06-15

Who should care

Developers and administrators using Config::IniFiles versions before 3.001000 for Perl should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is caused by the use of a 2-arg open() in Config::IniFiles::_make_filehandle, which allows for OS command injection and file overwrite. The -file argument in new(-file => $thing) reaches this helper through ReadConfig. An in-memory scalar reference (-file => $text) does not open a path and is unaffected.

Defensive priority

high

Recommended defensive actions

  • Update to Config::IniFiles version 3.001000 or later.
  • Validate and sanitize all input to the -file argument.
  • Use a secure method for opening files, such as using a 3-arg open().

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, including its description, CVSS score, and references.

Official resources

CVE-2026-11527 was published on 2026-06-14T12:16:23.357Z and modified on 2026-06-15T00:16:42.960Z.