The CPAN Security Group was authorized by the CVE Program as a CVE Numbering Authority (CNA) on Feb 25, 2025. A CNA assigns and manages CVE identifiers for projects in their scope.

Our scope is vulnerabilities in Perl and CPAN Modules (including End-of-Life Perl versions) found at perl.org, cpan.org or metacpan.org, excluding distributions of Perl or CPAN Modules maintained by third-party redistributors.

CVE is an international, community-based effort to identify, define and catalog publicly disclosed software vulnerabilities. To learn more about the CVE program, visit www.cve.org.

Report Vulnerability

Vulnerabilities should be reported according to the security policy of the affected project.

For more details, see our guide on how to Report a Security Issue in Perl and the CPAN ecosystem.

Contact Us

To request a CVE identifier, or to update a CVE we have issued, please send an email to cve-request@security.metacpan.org.

Subscribe to the cve-announce mailing list to be notified of new CVEs published by us.

For questions, disputes or other CNA related queries please use cna@security.metacpan.org. Disputes are handled according to the CNA rules.