CVE-2026-11526 | GD versions before 2.86 for Perl allow OS command injection …

Description

GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle. GD::Image::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. _make_filehandle is the single open path behind every filename-accepting constructor (new, newFromPng, newFromJpeg, and the rest); the in-memory *Data variants do not open a path and are unaffected. Any caller that forwards untrusted input to one of these constructors as a pathname can run an arbitrary command or truncate a file under the process UID.

Metadata

CVE ID: CVE-2026-11526
State: PUBLISHED
Assigner: CPANSec
Reserved: 2026-06-07 19:26 UTC
Published: 2026-06-14 11:39 UTC
Last updated: 2026-06-14 23:28 UTC
Primary CWE: CWE-78
CWE-78 Improper Neutralization of Special Elements used in a…
Vendor / Product: RURBAN / GD
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (1)

Vendor	Product	Platform	Versions
RURBAN	GD	—	0 < 2.86

Weakness (CWE)

CWE	Source	Description
CWE-73	cna	CWE-73 External Control of File Name or Path
CWE-78	cna	CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

References (2)