News

CPANSec CNA and CVE FAQ

less than 1 minute read

We have added a CPANSec CNA and CVE Frequently Asked Questions (FAQ).

CNA Vulnerability to Fix and Disclosure Workflow

less than 1 minute read

We have added the CNA Vulnerability to Fix and Disclosure Workflow that describes our process from receiving vulnerability reports to vulnerability publishing.

MetaCPAN now displays security advisories

less than 1 minute read

The MetaCPAN website now displays security advisories when you view a distribution with a known security advistory on it.

CPANSec is CNA for Perl and the CPAN ecosystem

1 minute read & al.

The CPAN Security Group was authorized by the CVE Program as a CVE Numbering Authority (CNA) on Feb 25, 2025. A CNA assigns and manages CVE identifiers for p...

App::cpanminus downloads code using insecure HTTP

2 minute read

CVE-2024-45321: In its default configuration cpanminus uses insecure HTTP to download and install code from CPAN. This results in a CWE-494 weakness, enablin...

Vulnerable Spreadsheet Parsing modules

8 minute read

Between Dec 2023 and Jan 2024, vulnerabilities in Spreadsheet::ParseExcel and Spreadsheet::ParseXLSX were reported to the CPAN Security Group (CPANSec). This...