πŸ” CVE Alert

CVE-2026-49147

HIGH 7.5

App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes

CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th

App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes. When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename. A file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer.

CWE CWE-150
Vendor petdance
Product app::ack
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for petdance app::ack

Be the first to know when new high vulnerabilities affecting petdance app::ack are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

PETDANCE / App::Ack
0 ≀ 3.10.0

References

NVD β†— CVE.org β†— EPSS Data β†—
metacpan.org: https://metacpan.org/release/PETDANCE/ack-v3.10.0/source/Changes openwall.com: http://www.openwall.com/lists/oss-security/2026/07/08/9

Credits

MichaΕ‚ Majchrowicz (AFINE) Marcin Wyczechowski (AFINE)