{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-25T12:31:37.795","vulnerabilities":[{"cve":{"id":"CVE-2026-4177","sourceIdentifier":"9b29abf9-4ab0-4765-b253-1875cd9b441e","published":"2026-03-16T23:16:21.543","lastModified":"2026-06-17T10:56:07.343","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter.\n\nThe heap overflow occurs when class names exceed the initial 512-byte allocation.\n\nThe base64 decoder could read past the buffer end on trailing newlines.\n\nstrtok mutated n->type_id in place, corrupting shared node data.\n\nA memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return."},{"lang":"es","value":"Las versiones de YAML::Syck hasta la 1.36 para Perl tienen varias vulnerabilidades de seguridad potenciales, incluyendo un desbordamiento de búfer de montículo de alta gravedad en el emisor YAML.\n\nEl desbordamiento de montículo ocurre cuando los nombres de clase exceden la asignación inicial de 512 bytes.\n\nEl decodificador base64 podría leer más allá del final del búfer en saltos de línea finales.\n\nstrtok mutó n->type_id in situ, corrompiendo datos de nodo compartidos.\n\nSe produjo una fuga de memoria en syck_hdlr_add_anchor cuando un nodo ya tenía un ancla. La cadena de ancla entrante 'a' se filtró en el retorno anticipado."}],"affected":[{"source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","affectedData":[{"vendor":"TODDR","product":"YAML::Syck","defaultStatus":"unaffected","collectionURL":"https://cpan.org/modules","packageName":"YAML-Syck","programFiles":["emitter.c","handler.c","perl_common.h","perl_syck.h"],"programRoutines":[{"name":"YAML::Syck::yaml_syck_emitter_handler()"},{"name":"YAML::Syck::syck_base64dec()"},{"name":"YAML::Syck::yaml_syck_parser_handler()"},{"name":"YAML::Syck::syck_hdlr_add_anchor()"}],"repo":"https://github.com/cpan-authors/YAML-Syck","versions":[{"version":"0","lessThanOrEqual":"1.36","versionType":"custom","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-17T14:04:29.127464Z","id":"CVE-2026-4177","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","type":"Secondary","description":[{"lang":"en","value":"CWE-122"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:toddr:yaml\\:\\:syck:*:*:*:*:*:perl:*:*","versionEndExcluding":"1.37","matchCriteriaId":"618F919B-87EA-4A0F-9798-D29206FA3022"}]}]}],"references":[{"url":"https://github.com/cpan-authors/YAML-Syck/commit/e8844a31c8cf0052914b198fc784ed4e6b8ae69e.patch","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Patch"]},{"url":"https://metacpan.org/release/TODDR/YAML-Syck-1.37_01/changes#L21","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Release Notes"]},{"url":"http://www.openwall.com/lists/oss-security/2026/03/16/6","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}}]}