CVE-2026-48962

HIGH 7.3

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob

CVSS Score

7.3

EPSS Score

0.0%

EPSS Percentile

0th

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.

CWE	CWE-95
Vendor	pmqs
Product	io::compress
Published	May 27, 2026
Last Updated	May 27, 2026

Stay Ahead of the Next One

Get instant alerts for pmqs io::compress

Be the first to know when new high vulnerabilities affecting pmqs io::compress are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

PMQS / IO::Compress

0 < 2.220

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch metacpan.org: https://metacpan.org/release/PMQS/IO-Compress-2.220/changes openwall.com: http://www.openwall.com/lists/oss-security/2026/05/27/4