PT-2026-41236 · Cpan · Www::Mechanize::Cached

Oalders

·

Published

2026-05-15

·

Updated

2026-05-15

·

CVE-2026-8612

CVSS v3.1

5.3

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions WWW::Mechanize::Cached versions prior to 2.00
Description When no explicit cache backend is used, the software creates a default Cache::FileCache in /tmp/FileCache with a directory umask of 000, resulting in a cache root and subdirectories with mode 0777 and no sticky bit. This allows a local attacker with write access to the cache tree to replace a victim's cache entry for a known URL with an arbitrary frozen HTTP::Response blob. When the victim performs a get() request for that URL, the system reads the entry using Storable::thaw. If the victim process has loaded any class with a side-effectful STORABLE thaw, DESTROY, or overload hook, this can lead to local response forgery and arbitrary code execution.
Recommendations Update to version 2.00 or later.

Exploit

Fix

Deserialization of Untrusted Data

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8612

Affected Products

Www::Mechanize::Cached