cbcvebase.
CVE-2026-8450
published 2026-05-27

CVE-2026-8450: HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). send_file() opens its string argument with Perl's 2-arg open(). The…

PriorityP263critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
1.23%
65.2th percentile
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append. Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.

Affected

2 ranges
VendorProductVersion rangeFixed in
oaldershttp_daemon< 6.176.17
ubuntulibhttp-daemon-perl

Detection & IOCsextracted from sources · hover to see the quote

  • Detect exploitation attempts via magic pipe-open prefixes passed to send_file(): look for HTTP request paths or parameters containing leading/trailing pipe characters ('| cmd' or 'cmd |') or write-redirect prefixes ('>' or '>>') that would be interpreted by Perl's 2-arg open()
  • Monitor HTTP responses for unexpected command output leaking in the response body, which occurs when the read-pipe form ('cmd |') is triggered via send_file()
  • Alert on unexpected file creation or truncation at attacker-controlled paths on systems running HTTP::Daemon, as write-mode exploitation can create or truncate arbitrary files
  • Flag any process spawned as a child of an HTTP::Daemon process (perl-HTTP-Daemon), as successful exploitation causes OS commands to run at the daemon process UID
  • ·Exploitation requires a non-default configuration where the application passes untrusted user input directly to send_file(); not all deployments of HTTP::Daemon are vulnerable by default
  • ·Only HTTP::Daemon versions before 6.17 are affected; upgrading to 6.17 or later remediates the vulnerability
  • ·Affected packages span multiple Red Hat Enterprise Linux versions (7, 8, 9, 10) as well as Fedora and Ubuntu; patch availability and status should be verified per distribution

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.