HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11526Published Modified CNA CPANSec

CVE-2026-11526: GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle

GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle. GD::Image::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. _make_filehandle is the single open path behind every filename-accepting constructor (new, newFromPng, newFromJpeg, and the rest); the in-memory *Data variants do not open a path and are unaffected. Any caller that forwards untrusted input to one of these constructors as a pathname can run an arbitrary command or truncate a file under the process UID.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
2.86
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

OS command injection and file overwrite in the Perl GD image library (versions before 2.86) via a vulnerable 2-argument open() call inside the _make_filehandle function. The flaw is reachable over the network with no authentication required, affecting any application that forwards untrusted filenames to GD constructors such as new, newFromPng, or newFromJpeg. Successful exploitation lets an attacker execute arbitrary OS commands or overwrite files under the process UID, compromising confidentiality, integrity, and availability. A patched-image rebuild at version 2.86 is available on HarborGuard for environments running an affected version of the GD Perl module.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including CPANSec advisories) within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle the GD Perl module.

Available
Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the published CVSS v3.1 vector, and applies each customer organization's compliance policy weighting to surface it in the appropriate severity tier. Triage findings are routed to the inbox configured for the affected workload's owner within each customer org.

Available
Patch

A patched-image rebuild at GD 2.86 becomes available on HarborGuard for any image found to contain an affected version of the library. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable GD constructors are typically exposed via a network-facing application, so an attacker must be able to reach the service over the network to deliver a crafted filename.

  • AuthenticationNot required

    No credentials or account are needed; the attack can be carried out by an unauthenticated remote party who can supply a filename to the application.

  • Victim interactionNot required

    No user action is needed; exploitation is fully attacker-driven once a crafted filename reaches a GD constructor.

  • Attack complexityDetail

    Attack complexity is low: the exploit requires no race conditions, specific memory layout, or environmental preconditions beyond supplying a pipe-prefixed or pipe-suffixed filename string.

Blast Radius

  • Reads arbitrary files and data accessible to the process UID, including secrets, configuration, and application data.
  • Executes arbitrary OS commands under the process UID, enabling full host compromise within the container or process boundary.
  • Overwrites or truncates arbitrary files writable by the process UID, destroying application state or configuration.
  • Disrupts availability of the affected service by corrupting critical files or consuming resources via spawned processes.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11526 is active across all customer environments, matching against both pulled base images and custom-built images that include the Perl GD module. For images confirmed to carry a GD version below 2.86, a rebuilt image at 2.86 is made available automatically. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes regression tests, and opens a pull request against every affected workload; for critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with full CVSS detail and fix-version information so engineering teams can act manually. As a compensating control before patching, consider restricting the network paths that deliver filenames to GD constructors, and ensure the application never forwards externally supplied strings directly to GD image-loading functions.

See how HarborGuard automates this

Fix available

2.86
Patch commits
Affected packages
  • RURBAN / GD
    < 2.86 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References