CVE-2026-10879

CVE-2026-10879: DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders

Vendor Hmbrand

Product DBI

Weakness CWE-787

Published June 5, 2026

Last update June 8, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera.

Key dates

02Disclosure timeline

June 5, 2026 CVE published

June 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-10879

Related vulnerabilities

CVE-2026-10879: DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders

01Description

02Disclosure timeline

03References

04Related CVE