PatchSiren

RRWO CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH RRWO CVE published 2026-06-04

CVE-2026-49942

CVE-2026-49942 is a HIGH-severity vulnerability in Net::CIDR::Set versions through 0.20 for Perl. The issue arises from the lack of validation for network masks, which could contain Unicode digits or non-digits that are ignored. This oversight could lead to network masks accepting larger networks than intended. Additionally, leading zeros in network masks were accepted but treated as decimal instead of oc [truncated]

HIGH RRWO CVE published 2026-06-04

CVE-2026-49941

CVE-2026-49941 is a HIGH severity vulnerability in Net::CIDR::Set for Perl. Versions through 0.20 did not validate IP addresses, leading to potential denial of service (DoS) attacks. The `add` method called the `_encode` method to parse addresses. If the addresses did not look like netmasks or network ranges, they were assumed to be single IP addresses and passed back to itself as a 32-bit or 128-bit netm [truncated]

MEDIUM RRWO CVE published 2026-06-04

CVE-2026-49940

CVE-2026-49940 is a vulnerability in Net::CIDR::Set versions through 0.20 for Perl. The issue allows non-ASCII IP addresses and netmasks to be accepted but not properly parsed as numbers. This could allow network masks to accept larger networks. The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM.

HIGH RRWO CVE published 2026-05-28

CVE-2026-9658

Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded. The vulnerability was published on 2026-05-28 and modified later the same day. The vendor is identified as RRWO based on Metacpan reference data, though confidence [truncated]

MEDIUM RRWO CVE published 2026-05-26

CVE-2026-46740

Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injection via unvalidated metric names and set values. The plugin failed to sanitize newlines, colons, and pipes—characters with special meaning in the StatsD protocol. Untrusted input used to construct metrics could inject additional StatsD commands, leading to metric manipulation or denial-of-service against downstream monitoring [truncated]

HIGH RRWO CVE published 2026-05-20

CVE-2026-47373

CVE-2026-47373 is a timing-attack issue in the Perl Crypt::SaltedHash module affecting versions through 0.09. The problem comes from using Perl's built-in eq comparison, which can expose timing discrepancies that may help an attacker infer information about the underlying hash. The supplied references point to a fix in Crypt::SaltedHash 0.10 and an associated security disclosure on the same day the CVE was published.

HIGH RRWO CVE published 2026-05-18

CVE-2026-8788

Net::Statsd::Lite versions through 0.10.0 for Perl contain a metric injection vulnerability in the `set_add` method. The method fails to sanitize input values for newlines, colons, and pipes—characters with special meaning in the StatsD protocol. When processing untrusted input, an attacker can inject additional StatsD metrics beyond the intended measurement, potentially corrupting monitoring data, exhaus [truncated]