PatchSiren

TODDR CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM TODDR CVE published 2026-05-19

CVE-2026-5090

CVE-2026-5090 affects Template::Plugin::HTML versions through 3.102 for Perl. According to the published description, the module's html_filter function did not escape single quotes, which means data placed into HTML attributes delimited by single quotes could break out of the attribute and inject limited HTML or JavaScript. The issue is narrower than full raw HTML injection because angle brackets, ampersa [truncated]

CRITICAL TODDR CVE published 2026-03-19

CVE-2006-10003

CVE-2006-10003 is an off-by-one heap buffer overflow vulnerability in the st_serial_stack function of XML::Parser versions up to 2.47 for Perl. The bug occurs when parsing an XML file with very deep element nesting and can lead to a critical CVSS score of 9.8. The issue arises from the incorrect handling of stack expansion when the stack pointer equals the stack size minus one. This CVE was officially pub [truncated]

CRITICAL TODDR CVE published 2026-03-16

CVE-2026-4177

YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities, including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. Additionally, the base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occ [truncated]