CVE-2026-49942
HIGHDescription
Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks. Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| rrwo | net\ |
References
Frequently Asked Questions
What is CVE-2026-49942? +
How severe is CVE-2026-49942? +
What products are affected by CVE-2026-49942? +
How do I check if I'm vulnerable to CVE-2026-49942? +
Related Vulnerabilities
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns …
The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, …
Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a …
1Password 8 before 8.10.36 for macOS allows local attackers to exfiltrate vault items because XPC inter-process communication validation is insufficient.
An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to insufficient input validation, the C-MOR web …
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, …