Upstream information
Description
IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob._parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl.
Arbitrary Perl in the output glob executes at the calling process's privilege.
SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having important severity.
| CVSS detail | CNA (0b0ca135-0b70-47e7-9f44-1890c2a1c46c) | CNA (CISA-ADP) |
|---|---|---|
| Base Score | 7.8 | 7.3 |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| Attack Vector | Local | Network |
| Attack Complexity | Low | Low |
| Privileges Required | Low | None |
| User Interaction | None | None |
| Scope | Unchanged | Unchanged |
| Confidentiality Impact | High | Low |
| Integrity Impact | High | Low |
| Availability Impact | High | Low |
| CVSSv3 Version | 3.1 | 3.1 |
SUSE Security Advisories:
- RHSA-2026:30851, published Wed Jul 1 15:06:33 UTC 2026
- RHSA-2026:30858, published Tue Jun 30 15:07:25 UTC 2026
- RHSA-2026:30859, published Mon Jun 29 15:06:39 UTC 2026
- RHSA-2026:30860, published Wed Jul 1 15:06:31 UTC 2026
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| SUSE Liberty Linux 10 |
| Patchnames: RHSA-2026:30860 |
| SUSE Liberty Linux 8 |
| Patchnames: RHSA-2026:30851 RHSA-2026:30858 |
| SUSE Liberty Linux 9 |
| Patchnames: RHSA-2026:30859 |
| openSUSE Leap 16.0 |
| Patchnames: openSUSE-Leap-16.0-packagehub-372 |
| openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2026-10939 |
SUSE Timeline for this CVE
CVE page created: Wed May 27 07:00:02 2026CVE page last modified: Thu Jul 2 15:35:02 2026