Security Advisories (2)
CVE-2026-13401 (2026-07-16)

XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes. The parserc_parse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "<a ='c'>" or unbalanced quotes "<a b='''''''c'>" can trigger this condition.

CVE-2026-57074 (2026-07-16)

XML::Bare versions through 0.53 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read.

Changes for version 0.51

  • New 'unsafe' parsing mode, giving a 30% speed increase with some downfalls
  • New 'read_more' function, allowing more data to be read in before parsing into a tree
  • Fixed some memory leaks
  • Added 'Controversy' section to documentation
  • Updated speed comparisons for feed2.xml, adding a comparison against XML::Fast as well as a comparison of running in 'unsafe' mode.
  • Spelling correction
  • "Modernized" file handling using my variables

Modules

Minimal XML parser implemented via a C state engine

Provides

in Bare.pm