I think an attacker could at least inject HTML/JS/XSS into your web-page and damage the user.

One major rule is to mistrust any input and to filter to a minimal whitelist of allowed/expected characters.

see also

• -T taint ff
• perlsec
• OWASP
• HTML injection

update

after wondering what $buffer means I realized that you don't even use strict and warnings ... 🤷🏽🤦🤷🏽