CVE-2026-7381

CRITICAL EPSS 35.4%
Published Apr 29, 20262mo ago · Modified Jun 17, 20262w ago
9.1 CVSS 3.1
Critical
Find Similar
Published Apr 29, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

CVSS Details

Base Score
9.1
Exploitability
3.9
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
35.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 3

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
CWE-441
CWE-913

Affected Products 1

VendorProductVersionRange
miyagawaplack\\ ≤1.0053

References 3

  • metacpan.org https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes
    Release Notes
  • metacpan.org https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSendfile.pm#DEPRECATION-NOTICE
    Product
  • nvd.nist.gov https://nvd.nist.gov/vuln/detail/CVE-2025-61780
    US Government Resource

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.