CVE-2026-49942
7.3 HIGHNet::CIDR::Set versions through 0.20 for Perl did not validate network masks
Published: 2026-06-04 · Last updated: 2026-06-08
Severity and scoring
- CVSS
- 7.3 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- CWE
- CWE-1289
Affected products
| Vendor | Product |
|---|---|
| rrwo | net\ |
Description
Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks. Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-49941 — Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses (7.5 HIGH)
- CVE-2026-49940 — Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks (6.5 MEDIUM)
Same CWE
- CVE-2026-42462 — Fedify is a TypeScript library for building federated server apps powered by ActivityPub (7.0 HIGH)
- CVE-2026-49940 — Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks (6.5 MEDIUM)
- CVE-2026-47674 — Hono is a Web application framework that provides support for any JavaScript runtime (5.3 MEDIUM)
- CVE-2026-39821 — The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label (9.6 CRITICAL)
- CVE-2026-41213 — @node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js (5.9 MEDIUM)