CVE-2026-8450P2CRITICALCVSS 9.1fixed in 6.172026-05-27
CVE-2026-8450 [CRITICAL] CWE-73 CVE-2026-8450: HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). send_file()
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().
send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.
Untrusted input passed to send_file() can run OS com
nvd