IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48962.json
https://metacpan.org/release/PMQS/IO-Compress-2.220/changes
https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch
https://bugzilla.redhat.com/show_bug.cgi?id=2481767
https://access.redhat.com/security/cve/CVE-2026-48962
https://access.redhat.com/errata/RHSA-2026:30860
https://access.redhat.com/errata/RHSA-2026:30859
https://access.redhat.com/errata/RHSA-2026:30858
https://access.redhat.com/errata/RHSA-2026:30851
https://access.redhat.com/errata/RHSA-2026:30843
https://access.redhat.com/errata/RHSA-2026:30115
https://access.redhat.com/errata/RHSA-2026:30086
https://access.redhat.com/errata/RHSA-2026:30085
https://access.redhat.com/errata/RHSA-2026:29941
https://access.redhat.com/errata/RHSA-2026:29867
https://access.redhat.com/errata/RHSA-2026:29210