Alerts This Week
Warning Icon 1 654
Alerts This Week
Warning Icon 1 654

Fedora 43 perl-HTTP-Daemon Moderate RCE Risk CVE-2026-8450

fedora
Calendar Grey June 18, 2026
Dist Fedora Esm H88
CVE-2026-8450 in perl-HTTP-Daemon affects Fedora 43 and has a moderate severity for remote code execution risk.
Changes: 6.17 2026-05-19 23:11:06Z Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in send_file() enabled RCE / arbitrary file write / response-body exfiltration when ...

Summary

Instances of the HTTP::Daemon class are HTTP/1.1 servers that listen on a

socket for incoming requests. The HTTP::Daemon is a subclass of

IO::Socket::IP, so you can perform socket operations directly on it too.

Update Information:

Changes: 6.17 2026-05-19 23:11:06Z Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in send_file() enabled RCE / arbitrary file write / response-body exfiltration when a string argument was derived from attacker- influenced input. send_file() now uses 3-arg open() with an explicit '<' read mode, so the path is always treated as a literal filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |', '> path', etc.) are no longer interpreted. send_file() now also returns '0E0' (true zero) on a successful zero-byte transfer so callers can distinguish empty file from open failure (undef). See https://www.cve.org/CVERecord?id=CVE-2026-8450 for the advisory. Reported and patched by Stig Palmquist (stigtsp). (Stig Palmquist, Olaf Alders)

Topics%20covered

Topics Covered

security advisory moderate fedora remote code arbitrary file write exfiltration

Change Log

* Wed May 20 2026 Michal Josef Špaček - 6.17-1 - 6.17 bump

References


[ 1 ] Bug #2480076 - perl-HTTP-Daemon-6.17 is available https://bugzilla.redhat.com/show_bug.cgi?id=2480076

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-f276b2154e' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: perl-HTTP-Daemon
Product: Fedora 43
Version: 6.17
Release: 1.fc43
URL: https://metacpan.org/release/HTTP-Daemon
Summary: Simple HTTP server class

Topics%20covered

Topics Covered

security advisory moderate fedora remote code arbitrary file write exfiltration

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here