RRWO Plack::Middleware::Security::Common up to 0.13.0 on Perl Request Path improper filtering of special elements
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.0 | $0-$5k | 0.00 |
Summary
A vulnerability described as critical has been identified in RRWO Plack::Middleware::Security::Common up to 0.13.0 on Perl. Impacted is the function Plack::Middleware::Security::Common of the component Request Path Handler. The manipulation results in improper filtering of special elements.
This vulnerability is identified as CVE-2026-9658. The attack can be executed remotely. There is not any exploit available.
Upgrading the affected component is recommended.
Details
A vulnerability was found in RRWO Plack::Middleware::Security::Common up to 0.13.0 on Perl. It has been classified as critical. Affected is the function Plack::Middleware::Security::Common of the component Request Path Handler. The manipulation with an unknown input leads to a improper filtering of special elements vulnerability. CWE is classifying the issue as CWE-790. The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers.
The advisory is shared for download at metacpan.org. This vulnerability is traded as CVE-2026-9658 since 05/26/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are known technical details, but no exploit is available.
Upgrading to version 0.13.1 eliminates this vulnerability.
Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 7.0
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Improper filtering of special elementsCWE: CWE-790 / CWE-184 / CWE-183
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: Plack::Middleware::Security::Common 0.13.1
Timeline
05/26/2026 CVE reserved05/28/2026 Advisory disclosed
05/28/2026 VulDB entry created
05/28/2026 VulDB entry last update
Sources
Advisory: metacpan.orgStatus: Confirmed
CVE: CVE-2026-9658 (🔒)
GCVE (CVE): GCVE-0-2026-9658
GCVE (VulDB): GCVE-100-366756
Entry
Created: 05/28/2026 15:10Changes: 05/28/2026 15:10 (57)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.