CVE-2026-8450

Name of the Vulnerable Software and Affected Versions HTTP::Daemon versions prior to 6.17

Description OS command injection is possible through the send file() function. This occurs because send file() utilizes Perl's 2-arg open() function, which interprets magic prefixes. Specifically, prefixes like '| cmd' and 'cmd |' open a pipe to a subprocess, while '> path' and '>> path' open a path for writing or appending. If untrusted input is passed to send file(), OS commands can be executed with the daemon process UID. Additionally, the read-pipe form ('cmd |') can leak subprocess stdout into the HTTP response body, and write-mode forms can create or truncate files at paths chosen by an attacker.

Recommendations Update to version 6.17 or later. As a temporary workaround, restrict or avoid passing untrusted input to the send file() function.