CVE-2026-9516

CVE-2026-9516 is a high-severity vulnerability in Rurban Cpanel with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-755.

Key facts

Description

Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws. To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with SvPV_set() and restores it only on the normal return path. When decoding aborts through a Perl exception, for example a filter_json_object callback that croaks, the restore is skipped and the scalar is left with its string pointer offset into its own buffer and a shortened length. When that scalar is later freed, the allocator receives an invalid pointer and the interpreter aborts. A single BOM prefixed document decoded with a throwing filter callback crashes any caller.

Frequently asked questions

What is CVE-2026-9516?
Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws. To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with SvPV_set() and restores it only on the normal return path. When decoding aborts through a Perl exception, for example a filter_json_object callback that croaks, the restore is skipped and the scalar is left with its string pointer offset into its own buffer and a shortened length. When that scalar is later freed, the allocator receives an invalid pointer and the interpreter aborts. A single BOM prefixed document decoded with a throwing filter callback crashes any caller.
How severe is CVE-2026-9516?
CVE-2026-9516 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2026-9516 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (30th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-9516?
CVE-2026-9516 affects Rurban Cpanel. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-9516?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2026-9516 have an EU (EUVD) identifier?
Yes. CVE-2026-9516 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-34061.
When was CVE-2026-9516 published?
CVE-2026-9516 was published on 2026-06-03 and last updated on 2026-06-17.

References

Affected products (1)

Other CWE-755 (Improper Handling of Exceptional Conditions) vulnerabilities

Browse all CWE-755 (Improper Handling of Exceptional Conditions) vulnerabilities →