9.8
/ 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle.
GD::Image::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. _make_filehandle is the single open path behind every filename-accepting constructor (new, newFromPng, newFromJpeg, and the rest); the in-memory *Data variants do not open a path and are unaffected.
Any caller that forwards untrusted input to one of these constructors as a pathname can run an arbitrary command or truncate a file under the process UID.
GD::Image::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. _make_filehandle is the single open path behind every filename-accepting constructor (new, newFromPng, newFromJpeg, and the rest); the in-memory *Data variants do not open a path and are unaffected.
Any caller that forwards untrusted input to one of these constructors as a pathname can run an arbitrary command or truncate a file under the process UID.
AI Analysis
GD library before version 2.86 is vulnerable to OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle, allowing an attacker to run arbitrary commands or truncate files under the process UID.
Basic Information
ID
CVE-2026-11526
Source
CPANSec
Published
Jun 14, 2026 at 11:39
Modified
Jun 15, 2026 at 16:17
Affected Product
Vendor
RURBAN
Product
GD
Affected Versions
RURBAN GD 0
CWE Classification
AI Assessment
AI Score
9.8 / 10
AI Severity
Critical
Vendor
RURBAN
Product
GD
Version
before 2.86