CVE-2026-15392

Public on 2026-07-14
Modified on 2026-07-15
Description
DBD::File versions before 1.651 for Perl do not ensure the table file is not a symlink to an untrusted location.

The complete_table_name method builds the absolute table file path without checking whether the file is a symbolic link. A link inside the data directory can point to a table file at any path outside of the configured f_dir and f_dir_search directories.

Callers of file-based drivers can read or write files outside of the data directory.
Severity
Important severity
Important
See what this means
CVSS v3 Base Score
7.1
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core perl-DBI Pending Fix
Amazon Linux 2023 perl-DBI Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N