CVE-2026-10879

CRITICAL 9.8

DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

5th

DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera.

CWE	CWE-787
Vendor	hmbrand
Product	dbi
Published	Jun 5, 2026
Last Updated	Jun 8, 2026

Stay Ahead of the Next One

Get instant alerts for hmbrand dbi

Be the first to know when new critical vulnerabilities affecting hmbrand dbi are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

HMBRAND / DBI

0 < 1.648

References

NVD ↗ CVE.org ↗ EPSS Data ↗

metacpan.org: https://metacpan.org/release/HMBRAND/DBI-1.648/changes github.com: https://github.com/perl5-dbi/dbi/commit/af79036c07aa9a457971c0f4136e37c85dc20978.patch openwall.com: http://www.openwall.com/lists/oss-security/2026/06/06/4