CVE-2026-8500

CVE-2026-8500: Web::Passwd versions through 0.03 for Perl is vulnerable to RCE

Vendor Evank

Product Web::Passwd

Weakness CWE-78

Published May 13, 2026

Last update May 14, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Web::Passwd versions through 0.03 for Perl is vulnerable to RCE. Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command. The user parameter is not validated or escaped, and is used as the last argument on the command line, allowing for command injection.

Key dates

02Disclosure timeline

May 13, 2026 CVE published

May 14, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-8500

Related vulnerabilities

04Related CVE

CVE-2021-3060 PAN-OS: OS Command Injection in Simple Certificate Enrollment Protocol (SCEP) CVE-2025-22368 Mennekes smart/premium charges systems, Command injection in sCU firmware update CVE-2026-6115 Totolink A7100RU CGI cstecgi.cgi setAppCfg os command injection CVE-2026-8913 Command Injection in TP-Link's Archer MR600 WireGuard Client Configuration CVE-2026-49185 Instruction Injection via FieldX MDM