CVE-2026-49147
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes.
When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the –show-types, -l/-L, and -c paths still emit the raw filename.
A file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| PETDANCE | App::Ack | 0 <= 3.10.0 | affected |
Weaknesses
- CWE-150: CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences
Workarounds
Pipe ack output through a filter that strips terminal control characters when running ack over untrusted filenames.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.