Home

Description

Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

PUBLISHED Reserved 2026-05-16 | Published 2026-05-17 | Updated 2026-05-17 | Assigner CPANSec

Problem types

CWE-93 Improper Neutralization of CRLF Sequences

Product status

Default status
unaffected

Any version before 0.3.8
affected

Timeline

2026-05-14:Issue reported to CPANSec
2026-05-15:Author notified
2026-05-17:Fix released

References

metacpan.org/release/RRWO/Net-Statsd-Tiny-v0.3.8/changes release-notes

github.com/...06f814f52fbcc0b2afddf7a2d6f8137fd3cede13.patch patch

www.cve.org/CVERecord?id=CVE-2026-46719 related

cve.org (CVE-2026-46720)

nvd.nist.gov (CVE-2026-46720)

Download JSON