CVE-2026-46719

Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections

CVSS 6.5 MEDIUMEPSS 0.3%CWE-150 CWE-93

In short

A vulnerability in Net::Statsd::Lite allows attackers to inject extra metrics into monitoring systems by adding special characters to metric names. This can disrupt monitoring, hide real data, or send false metrics.

Technical detail

CWE-150 and CWE-93 vulnerabilities: metric names lack validation for newline, colon, and pipe characters, enabling injection of arbitrary StatsD protocol commands. Exploitation requires an attacker to control metric names passed to the library; successful injection can introduce false metrics or protocol manipulation affecting monitoring integrity.

Summary generated and translated by AI from the official description.

Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected products

RRWO · Net::Statsd::Lite

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/robrwo/Net-Statsd-Lite/commit/e1a8ab866d75c2827982134e9cf7e51a7f771153.patch https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.9.0/changes http://www.openwall.com/lists/oss-security/2026/05/16/9