{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-7381","assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","state":"PUBLISHED","assignerShortName":"CPANSec","dateReserved":"2026-04-29T07:43:55.519Z","datePublished":"2026-04-29T22:13:35.351Z","dateUpdated":"2026-04-30T13:18:45.937Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://cpan.org/modules","defaultStatus":"unaffected","packageName":"Plack","product":"Plack::Middleware::XSendfile","programFiles":["lib/Plack/Middleware::XSendfile.pm"],"repo":"https://github.com/plack/Plack","vendor":"MIYAGAWA","versions":[{"lessThanOrEqual":"1.0053","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"CPANSec"}],"descriptions":[{"lang":"en","value":"Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.\n\nPlack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.\n\nA malicious client can set the X-Sendfile-Type header to \"X-Accel-Redirect\" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.\n\nSince 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.\n\nThis is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the \"X-Accel-Redirect\" type."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-200","description":"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-441","description":"CWE-441 Unintended Proxy or Intermediary","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-913","description":"CWE-913 Improper Control of Dynamically-Managed Code Resources","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec","dateUpdated":"2026-04-29T22:13:35.351Z"},"references":[{"tags":["release-notes"],"url":"https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes"},{"tags":["technical-description"],"url":"https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSendfile.pm#DEPRECATION-NOTICE"},{"tags":["related"],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61780"}],"solutions":[{"lang":"en","value":"Users are encouraged to set the appropriate header directly in their applications, or write their own middleware layer that does not allow configuration to be passed via HTTP request headers."}],"source":{"discovery":"UNKNOWN"},"timeline":[{"lang":"en","time":"2025-10-10T00:00:00.000Z","value":"Issue for Rack::Sendfile reported"},{"lang":"en","time":"2026-04-27T00:00:00.000Z","value":"Issue reported to maintainer of Plack"},{"lang":"en","time":"2025-04-28T00:00:00.000Z","value":"Plack 1.0052 released with improved security documentation in Plack::Middleware::XSendfile"},{"lang":"en","time":"2025-04-29T00:00:00.000Z","value":"Plack 1.0053 released that deprecates Plack::Middleware::XSendfile"}],"title":"Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting","workarounds":[{"lang":"en","value":"Users can configure the X-Sendfile-Type in the middleware constructor, and the reverse proxy to unset the X-Sendfile-Type header and (on nginx) the X-Accel-Mapping request header."}],"x_generator":{"engine":"cpansec-cna-tool 0.1"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.1,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-04-30T13:18:16.234435Z","id":"CVE-2026-7381","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-30T13:18:45.937Z"}}]}}