CVE-2026-9334
7.3 HIGHCpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled
Published: 2026-06-03 · Last updated: 2026-06-05
Severity and scoring
- CVSS
- 7.3 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- CWE
- CWE-843
Affected products
| Vendor | Product |
|---|---|
| rurban | cpanel\ |
Description
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled. decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests `SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV`, which evaluates SvRV(old_value) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference. A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-9516 — Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws (7.5 HIGH)
Same CWE
- CVE-2026-45641 — Out-of-bounds read in Windows Hyper-V allows an unauthorized attacker to execute code locally (8.4 HIGH)
- CVE-2026-45635 — Use after free in Universal Plug and Play (upnp.dll) allows an unauthorized attacker to execute code over a network (8.1 HIGH)
- CVE-2026-45600 — Access of resource using incompatible type ('type confusion') in Windows Kernel-Mode Drivers allows an authorized attacker to elevate pri... (7.8 HIGH)
- CVE-2026-45456 — Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally (8.4 HIGH)
- CVE-2026-44817 — Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally (7.8 HIGH)