Description

Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware constructor or the Plack environment. A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect" to services running behind nginx reverse proxies, and then set the X-Accel-Mapping to map the path to an arbitrary file on the server. Since 1.0053, Plack::Middleware::XSendfile is deprecated and will be removed from future releases of Plack. This is similar to CVE-2025-61780 for Rack::Sendfile, although Plack::Middleware::XSendfile has some mitigations that disallow regular expressions to be used in the mapping, and only apply the mapping for the "X-Accel-Redirect" type.

INFO

Published Date :

2026-04-29T22:13:35.351Z

Last Modified :

2026-04-30T13:18:45.937Z

Source :

CPANSec
AFFECTED PRODUCTS

The following products are affected by CVE-2026-7381 vulnerability.

Vendors Products
Miyagawa
  • Plack::middleware::xsendfile
  • Plack\
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-7381.

URL Resource
https://metacpan.org/release/MIYAGAWA/Plack-1.0053/changes cve-icon cve-icon
https://metacpan.org/release/MIYAGAWA/Plack-1.0053/view/lib/Plack/Middleware/XSendfile.pm#DEPRECATION-NOTICE cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-61780 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact