CVE-2026-49940
6.5 MEDIUMNet::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks
Published: 2026-06-04 · Last updated: 2026-06-08
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- CWE
- CWE-1289
Affected products
| Vendor | Product |
|---|---|
| rrwo | net\ |
Description
Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks. Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-49942 — Net::CIDR::Set versions through 0.20 for Perl did not validate network masks (7.3 HIGH)
- CVE-2026-49941 — Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses (7.5 HIGH)
Same CWE
- CVE-2026-42462 — Fedify is a TypeScript library for building federated server apps powered by ActivityPub (7.0 HIGH)
- CVE-2026-49942 — Net::CIDR::Set versions through 0.20 for Perl did not validate network masks (7.3 HIGH)
- CVE-2026-47674 — Hono is a Web application framework that provides support for any JavaScript runtime (5.3 MEDIUM)
- CVE-2026-39821 — The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label (9.6 CRITICAL)
- CVE-2026-41213 — @node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js (5.9 MEDIUM)