CVE-2026-46720

Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections

CVSS 8.2 HIGHEPSS 0.3%CWE-150 CWE-93

In short

Net::Statsd::Tiny for Perl allowed attackers to inject malicious metrics into monitoring data by exploiting missing validation of special characters. This could corrupt monitoring data and cause false alerts or data manipulation.

Technical detail

CWE-150 and CWE-93 vulnerability where metric names and values lack input validation for newline, colon, and pipe characters. Untrusted metric sources can inject additional statsd protocol commands, allowing protocol injection attacks that compromise monitoring integrity without authentication requirements.

Summary generated and translated by AI from the official description.

Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Affected products

RRWO · Net::Statsd::Tiny

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/robrwo/Net-Statsd-Tiny/commit/06f814f52fbcc0b2afddf7a2d6f8137fd3cede13.patch https://metacpan.org/release/RRWO/Net-Statsd-Tiny-v0.3.8/changes https://www.cve.org/CVERecord?id=CVE-2026-46719