HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead.
The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer.
Truncated strings such as "<a/" can trigger an out-of-bounds read.
Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.
The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer.
Truncated strings such as "<a/" can trigger an out-of-bounds read.
Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
Apply the patch to version 0.02 (from CPAN) or version 0.04 (from the git repository).
References
History
Thu, 16 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read. Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository. | |
| Title | HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead | |
| Weaknesses | CWE-125 | |
| References |
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: CPANSec
Published:
Updated: 2026-07-16T16:15:16.551Z
Reserved: 2026-06-23T17:59:40.467Z
Link: CVE-2026-57073
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses