A vulnerability in GD versions before 2.86 for Perl allows attackers to perform OS command injection and overwrite arbitrary files by exploiting a two-argument open() call when handling filename arguments in the _make_filehandle function. This is a well-known Perl pitfall where unsanitised filenames can be interpreted as shell commands. If exploited, an attacker could execute arbitrary commands or corrupt files on the underlying system.

Security Architect’s Take: Audit any Azure workloads, container images, or pipelines that use the Perl GD module and upgrade to version 2.86 or later immediately. Pay particular attention to serverless functions, AKS workloads, and CI/CD environments where untrusted input may influence filename arguments passed to GD.

Original advisory: CVE-2026-11526 GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle