Home

Description

Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

PUBLISHED Reserved 2026-05-16 | Published 2026-05-16 | Updated 2026-05-16 | Assigner CPANSec

Problem types

CWE-93 Improper Neutralization of CRLF Sequences

Product status

Default status
unaffected

Any version before 0.9.0
affected

Timeline

2026-05-14:Issue reported to CPANSec
2026-05-15:Author notified
2026-05-16:Fix released

References

www.openwall.com/lists/oss-security/2026/05/16/9

metacpan.org/release/RRWO/Net-Statsd-Lite-v0.9.0/changes release-notes

github.com/...e1a8ab866d75c2827982134e9cf7e51a7f771153.patch patch

cve.org (CVE-2026-46719)

nvd.nist.gov (CVE-2026-46719)

Download JSON