CVE-2026-57073

Summary

HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead.

The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer.

Truncated strings such as "<a/" can trigger an out-of-bounds read.

Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.

Affected Software

VendorProductVersion RangeStatus
CODECHILDHTML::Bare0 <= 0.04affected

Weaknesses

  • CWE-125: CWE-125 Out-of-bounds Read

Workarounds

Apply the patch to version 0.02 (from CPAN) or version 0.04 (from the git repository).

ADP Enrichment

CVE Program Container

Additional References

References