Upstream information

CVE-2026-49147 at MITRE

Description

App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes.

When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename.

A file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer.

SUSE information

Overall state of this security issue: Does not affect SUSE products

No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • ack >= 3.10.0-1.1
  • perl-App-Ack >= 3.10.0-1.1
Patchnames:
openSUSE-Tumbleweed-2026-10965


SUSE Timeline for this CVE

CVE page created: Tue Jun 9 11:36:22 2026
CVE page last modified: Wed Jul 8 20:32:19 2026