CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49147

highCVSS 7.5covered by 1 sourcefirst seen 2026-07-08
App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes. When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename. A file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer.

⚡ Watch CVE-2026-49147

Get an email if CVE-2026-49147 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-49147

CVE.org record

Embed the live status

CVE-2026-49147 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49147 status](https://www.csirts.com/badge/CVE-2026-49147)](https://www.csirts.com/cve/CVE-2026-49147)