CVE-2026-57073
N/A
N/A
Summary
HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead.
The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer.
Truncated strings such as "<a/" can trigger an out-of-bounds read.
Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| CODECHILD | HTML::Bare | 0 <= 0.04 | affected |
Weaknesses
- CWE-125: CWE-125 Out-of-bounds Read
Workarounds
Apply the patch to version 0.02 (from CPAN) or version 0.04 (from the git repository).
ADP Enrichment
CVE Program Container
Additional References
References
- https://github.com/nanoscopic/perl-HTML-Bare/pull/2
- https://security.metacpan.org/patches/H/HTML-Bare/0.02/CVE-2026-57073-r1.patch
- https://security.metacpan.org/patches/H/HTML-Bare/0.04/CVE-2026-57073-r2.patch
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.