HTML::Bare versions through 0.04 for Perl have an...
Critical severity
Unreviewed
Published
Jul 16, 2026
to the GitHub Advisory Database
•
Updated Jul 17, 2026
Description
Published by the National Vulnerability Database
Jul 16, 2026
Published to the GitHub Advisory Database
Jul 16, 2026
Last updated
Jul 17, 2026
HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead.
The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer.
Truncated strings such as "<a/" can trigger an out-of-bounds read.
Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.
References