SecuriTricks - CVE-2026-7381

Description

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

Product(s) Impacted

Vendor	Product	Versions
Plack	Plack Middleware Xsendfile	<1.0053

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	plack	plack_middleware_xsendfile	<1.0053	/	/	/	/	/	/	/

References

https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes

https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSendfile.pm#DEPRECATION-NOTICE

https://nvd.nist.gov/vuln/detail/CVE-2025-61780

Timeline

Published: April 29, 2026, 11:16 p.m.
Last Modified: April 29, 2026, 11:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

9b29abf9-4ab0-4765-b253-1875cd9b441e

CVE-2026-7381