CVE-2026-7381CRITICAL 9.1EPSS p35.2%

CVE-2026-7381CVE-2026-7381

Description

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.44% probability of exploitation · percentile 35.2% · 2026-06-19T12:03:05Z
Published2026-04-29
Last modified2026-05-07

Underlying weaknesses· 3

CWE-200CWE-441CWE-913

References

  1. https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes
  2. https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSendfile.pm#DEPRECATION-NOTICE
  3. https://nvd.nist.gov/vuln/detail/CVE-2025-61780

3

TypeTargetConfidenceTier
WeaknessExposure of Sensitive Information to an Unauthorized Actorcwe-2000%live
WeaknessUnintended Proxy or Intermediary ('Confused Deputy')cwe-4410%live
WeaknessImproper Control of Dynamically-Managed Code Resourcescwe-9130%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-9658
CVE
CVE-2025-40926
CVE
CVE-2026-10294
CVE
CVE-2026-4176
CVE
CVE-2026-3381
CVE
CVE-2026-9256
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.