CVE-2026-49145
App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include --files-from, so a project .ackrc can set it to a path whose listed files ack then reads and searches. Version 3.10.0 added --follow to the blocklist; --files-from remains accepted. A project .ackrc committed to an untrusted repository can make ack read files outside the project and print their matching lines.
| CWE | CWE-73 CWE-426 |
| Vendor | petdance |
| Product | app::ack |
| Published | Jul 8, 2026 |
| Last Updated | Jul 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for petdance app::ack
Be the first to know when new high vulnerabilities affecting petdance app::ack are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
Affected Versions
PETDANCE / App::Ack
0 β€ 3.10.0
References
Credits
MichaΕ Majchrowicz (AFINE) Marcin Wyczechowski (AFINE)