CVE-2026-8450
published 2026-05-27CVE-2026-8450: HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). send_file() opens its string argument with Perl's 2-arg open(). The…
PriorityP263critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
1.23%
65.2th percentile
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().
send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.
Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oalders | http_daemon | < 6.17 | 6.17 |
| ubuntu | libhttp-daemon-perl | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts via magic pipe-open prefixes passed to send_file(): look for HTTP request paths or parameters containing leading/trailing pipe characters ('| cmd' or 'cmd |') or write-redirect prefixes ('>' or '>>') that would be interpreted by Perl's 2-arg open() ↗
- →Monitor HTTP responses for unexpected command output leaking in the response body, which occurs when the read-pipe form ('cmd |') is triggered via send_file() ↗
- →Alert on unexpected file creation or truncation at attacker-controlled paths on systems running HTTP::Daemon, as write-mode exploitation can create or truncate arbitrary files ↗
- →Flag any process spawned as a child of an HTTP::Daemon process (perl-HTTP-Daemon), as successful exploitation causes OS commands to run at the daemon process UID ↗
- ·Exploitation requires a non-default configuration where the application passes untrusted user input directly to send_file(); not all deployments of HTTP::Daemon are vulnerable by default ↗
- ·Only HTTP::Daemon versions before 6.17 are affected; upgrading to 6.17 or later remediates the vulnerability ↗
- ·Affected packages span multiple Red Hat Enterprise Linux versions (7, 8, 9, 10) as well as Fedora and Ubuntu; patch availability and status should be verified per distribution ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
HTTP-Daemon vulnerability
vendor_ubuntu·2026-06-10
CVE-2026-8450 HTTP-Daemon vulnerability
Title: HTTP-Daemon vulnerability
Summary: HTTP-Daemon could be made to run programs if it received specially crafted
network traffic.
It was discovered that HTTP-Daemon incorrectly handled untrusted input
under certain circumstances. A remote attacker could possibly use this
issue to execute arbitrary commands, create or overwrite arbitrary files,
or expose sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
perl-HTTP-Daemon: HTTP::Daemon: Arbitrary code execution via OS command injection in send_file()
vendor_redhat·2026-05-27·CVSS 9.1
CVE-2026-8450 [CRITICAL] CWE-78 perl-HTTP-Daemon: HTTP::Daemon: Arbitrary code execution via OS command injection in send_file()
perl-HTTP-Daemon: HTTP::Daemon: Arbitrary code execution via OS command injection in send_file()
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().
send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.
Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.
A flaw was found in HTTP::Daemon, a Perl module used for creating HTTP servers. A remote attacker can exploit this vulnerability by providing specially c
GHSA
GHSA-3hc6-3p33-wq57: HTTP::Daemon versions before 6
ghsa_unreviewed·2026-05-27
CVE-2026-8450 [CRITICAL] CWE-73 GHSA-3hc6-3p33-wq57: HTTP::Daemon versions before 6
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().
send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.
Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-8450 perl-HTTP-Daemon: HTTP::Daemon: Arbitrary code execution via OS command injection in send_file() [fedora-all]
bugzilla·2026-06-15·CVSS 9.1
CVE-2026-8450 [CRITICAL] CVE-2026-8450 perl-HTTP-Daemon: HTTP::Daemon: Arbitrary code execution via OS command injection in send_file() [fedora-all]
CVE-2026-8450 perl-HTTP-Daemon: HTTP::Daemon: Arbitrary code execution via OS command injection in send_file() [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-8450 perl-HTTP-Daemon: HTTP::Daemon: Arbitrary code execution via OS command injection in send_file()
bugzilla·2026-05-27·CVSS 9.1
CVE-2026-8450 [CRITICAL] CVE-2026-8450 perl-HTTP-Daemon: HTTP::Daemon: Arbitrary code execution via OS command injection in send_file()
CVE-2026-8450 perl-HTTP-Daemon: HTTP::Daemon: Arbitrary code execution via OS command injection in send_file()
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().
send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.
Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.
https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patchhttps://github.com/libwww-perl/HTTP-Daemon/pull/89https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changeshttp://www.openwall.com/lists/oss-security/2026/05/27/5https://lists.debian.org/debian-lts-announce/2026/06/msg00028.htmlhttps://access.redhat.com/security/cve/CVE-2026-8450https://bugzilla.redhat.com/show_bug.cgi?id=2481773https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8450.json
2026-05-27
Published