{"api_version":"1","generated_at":"2026-04-30T12:37:43+00:00","cve":"CVE-2026-7381","urls":{"html":"https://cve.report/CVE-2026-7381","api":"https://cve.report/api/cve/CVE-2026-7381.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-7381","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-7381"},"summary":{"title":"Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting","description":"Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.\n\nPlack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.\n\nA malicious client can set the X-Sendfile-Type header to \"X-Accel-Redirect\" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.\n\nSince 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.\n\nThis is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the \"X-Accel-Redirect\" type.","state":"PUBLISHED","assigner":"CPANSec","published_at":"2026-04-29 23:16:19","updated_at":"2026-04-29 23:16:19"},"problem_types":["CWE-200","CWE-441","CWE-913","CWE-200 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","CWE-441 CWE-441 Unintended Proxy or Intermediary","CWE-913 CWE-913 Improper Control of Dynamically-Managed Code Resources"],"metrics":[],"references":[{"url":"https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSendfile.pm#DEPRECATION-NOTICE","name":"https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSendfile.pm#DEPRECATION-NOTICE","refsource":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes","name":"https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes","refsource":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61780","name":"https://nvd.nist.gov/vuln/detail/CVE-2025-61780","refsource":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-7381","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-7381","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"MIYAGAWA","product":"Plack::Middleware::XSendfile","version":"affected 1.0053 custom","platforms":[]}],"timeline":[{"source":"CNA","time":"2025-10-10T00:00:00.000Z","lang":"en","value":"Issue for Rack::Sendfile reported"},{"source":"CNA","time":"2026-04-27T00:00:00.000Z","lang":"en","value":"Issue reported to maintainer of Plack"},{"source":"CNA","time":"2025-04-28T00:00:00.000Z","lang":"en","value":"Plack 1.0052 released with improved security documentation in Plack::Middleware::XSendfile"},{"source":"CNA","time":"2025-04-29T00:00:00.000Z","lang":"en","value":"Plack 1.0053 released that deprecates Plack::Middleware::XSendfile"}],"solutions":[{"source":"CNA","title":"","value":"Users are encouraged to set the appropriate header directly in their applications, or write their own middleware layer that does not allow configuration to be passed via HTTP request headers.","time":"","lang":"en"}],"workarounds":[{"source":"CNA","title":"","value":"Users can configure the X-Sendfile-Type in the middleware constructor, and the reverse proxy to unset the X-Sendfile-Type header and (on nginx) the X-Accel-Mapping request header.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"CPANSec","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"collectionURL":"https://cpan.org/modules","defaultStatus":"unaffected","packageName":"Plack","product":"Plack::Middleware::XSendfile","programFiles":["lib/Plack/Middleware::XSendfile.pm"],"repo":"https://github.com/plack/Plack","vendor":"MIYAGAWA","versions":[{"lessThanOrEqual":"1.0053","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"CPANSec"}],"descriptions":[{"lang":"en","value":"Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.\n\nPlack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.\n\nA malicious client can set the X-Sendfile-Type header to \"X-Accel-Redirect\" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.\n\nSince 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.\n\nThis is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the \"X-Accel-Redirect\" type."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-200","description":"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-441","description":"CWE-441 Unintended Proxy or Intermediary","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-913","description":"CWE-913 Improper Control of Dynamically-Managed Code Resources","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-29T22:13:35.351Z","orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec"},"references":[{"tags":["release-notes"],"url":"https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes"},{"tags":["technical-description"],"url":"https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSendfile.pm#DEPRECATION-NOTICE"},{"tags":["related"],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61780"}],"solutions":[{"lang":"en","value":"Users are encouraged to set the appropriate header directly in their applications, or write their own middleware layer that does not allow configuration to be passed via HTTP request headers."}],"source":{"discovery":"UNKNOWN"},"timeline":[{"lang":"en","time":"2025-10-10T00:00:00.000Z","value":"Issue for Rack::Sendfile reported"},{"lang":"en","time":"2026-04-27T00:00:00.000Z","value":"Issue reported to maintainer of Plack"},{"lang":"en","time":"2025-04-28T00:00:00.000Z","value":"Plack 1.0052 released with improved security documentation in Plack::Middleware::XSendfile"},{"lang":"en","time":"2025-04-29T00:00:00.000Z","value":"Plack 1.0053 released that deprecates Plack::Middleware::XSendfile"}],"title":"Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting","workarounds":[{"lang":"en","value":"Users can configure the X-Sendfile-Type in the middleware constructor, and the reverse proxy to unset the X-Sendfile-Type header and (on nginx) the X-Accel-Mapping request header."}],"x_generator":{"engine":"cpansec-cna-tool 0.1"}}},"cveMetadata":{"assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","assignerShortName":"CPANSec","cveId":"CVE-2026-7381","datePublished":"2026-04-29T22:13:35.351Z","dateReserved":"2026-04-29T07:43:55.519Z","dateUpdated":"2026-04-29T22:13:35.351Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-29 23:16:19","lastModifiedDate":"2026-04-29 23:16:19","problem_types":["CWE-200","CWE-441","CWE-913","CWE-200 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","CWE-441 CWE-441 Unintended Proxy or Intermediary","CWE-913 CWE-913 Improper Control of Dynamically-Managed Code Resources"],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"7381","Ordinal":"1","Title":"Plack::Middleware::XSendfile versions through 1.0053 for Perl ca","CVE":"CVE-2026-7381","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"7381","Ordinal":"1","NoteData":"Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.\n\nPlack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment.\n\nA malicious client can set the X-Sendfile-Type header to \"X-Accel-Redirect\" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server.\n\nSince 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack.\n\nThis is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the \"X-Accel-Redirect\" type.","Type":"Description","Title":"Plack::Middleware::XSendfile versions through 1.0053 for Perl ca"}]}}}