VDB

GHSA-x2wr-f89p-cqwh

GHSA-x2wr-f89p-cqwh PUBLISHED CVSS 9.800000190734863 CRITICAL

XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack. In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer. The bug can be observed when parsing an XML file with very deep element nesting

Risk Scores

CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

  • Mar 19, 2026 CVE Published
  • Apr 4, 2026 CVE Updated
  • Apr 10, 2026 Security Advisory
Open in Interactive Console →
$ Console Community · 100/wk Open console ›