CVE-2026-7381

Published: Apr 30, 2026 Last Modified: Apr 30, 2026
ExploitDB:
Other exploit source:
Google Dorks:
CRITICAL 9,1
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: none

Description

AI Translation Available

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.

Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.

A malicious client can set the X-Sendfile-Type header to 'X-Accel-Redirect' to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.

Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.

This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the 'X-Accel-Redirect' type.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0001
Percentile
0,0th
Updated

EPSS Score Trend (Last 2 Days)

200

Exposure of Sensitive Information to an Unauthorized Actor

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality
Potential Impacts:
Read Application Data
Applicable Platforms
Technologies: Mobile, Not Technology-Specific, Web Based
Likelihood of Exploit: High
View CWE Details
441

Unintended Proxy or Intermediary ('Confused Deputy')

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Non-Repudiation Access Control
Potential Impacts:
Gain Privileges Or Assume Identity Hide Activities Execute Unauthorized Code Or Commands
Applicable Platforms
All platforms may be affected
View CWE Details
913

Improper Control of Dynamically-Managed Code Resources

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Other
Potential Impacts:
Execute Unauthorized Code Or Commands Varies By Context Alter Execution Logic
Applicable Platforms
Languages: Interpreted, Not Language-Specific
View CWE Details
https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes
https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes
https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib…
https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XS…
https://nvd.nist.gov/vuln/detail/CVE-2025-61780
https://nvd.nist.gov/vuln/detail/CVE-2025-61780