Security Advisories (2)
CVE-2026-57073 (2026-07-16)

HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read. Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.

CVE-2026-13397 (2026-07-16)

HTML::Bare versions through 0.04 for Perl will hang in an infinite loop when parsing malformed attributes. The parserc_parse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "<a ='c'>" or unbalanced quotes "<a b='''''''c'>" can trigger this condition. Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.

Changes for version 0.02

  • Correct bugs related to self closing nodes. ( name stack was not being properly maintained for them )
  • Add a unit test, Bug_self_closing.t, to test fixed bugs
  • Fix existing bug carried over from XML::Bare regarding incorrect _z values
  • Create a new function 'raw' to give you the original string of text for a specific node. This is important for HTML as the exact contents of nodes are often useful.

Modules

Minimal HTML parser implemented via a C state engine

Provides

in Bare.pm