CVE-2026-7381

Name of the Vulnerable Software and Affected Versions Plack::Middleware::XSendfile versions prior to 1.0053

Description Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be controlled by the client via the X-Sendfile-Type header if it is not defined in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" for services behind nginx reverse proxies and use the X-Accel-Mapping header to map the path to an arbitrary file on the server, enabling client-controlled path rewriting.

Recommendations Update to a version later than 1.0053, as Plack::Middleware::XSendfile is deprecated since version 1.0053 and will be removed from future releases of Plack.