HTTP-Daemon-6.17

Changes for version 6.17 - 2026-05-19

Fix CVE-2026-8450 (affects 6.15 and earlier): 2-arg open() in send_file() enabled RCE / arbitrary file write / response-body exfiltration when a string argument was derived from attacker- influenced input. send_file() now uses 3-arg open() with an explicit '<' read mode, so the path is always treated as a literal filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |', '> path', etc.) are no longer interpreted. send_file() now also returns '0E0' (true zero) on a successful zero-byte transfer so callers can distinguish empty file from open failure (undef). See https://www.cve.org/CVERecord?id=CVE-2026-8450 for the advisory. Reported and patched by Stig Palmquist (stigtsp). (Stig Palmquist, Olaf Alders)

A simple http server class

To install HTTP::Daemon, copy and paste the appropriate command in to your terminal.

cpanm HTTP::Daemon

perl -MCPAN -e shell
install HTTP::Daemon

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)