CVE-2026-46740 | THREATINT

Description

Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Version 0.06 changes the module from being a statsd client to using a separate statsd client. It defaults to using a version of Net::Statsd::Tiny that fixes a similar issue (CVE-2026-46720).

PUBLISHED Reserved 2026-05-17 | Published 2026-05-26 | Updated 2026-05-28 | Assigner CPANSec

Problem types

CWE-93 Improper Neutralization of CRLF Sequences

Product status

Default status

unaffected

Any version

affected

References

metacpan.org/.../RRWO/Mojolicious-Plugin-Statsd-0.06/changes release-notes

github.com/...f049156982a2c0b8050f173e24a04a29ddd64853.patch patch

www.cve.org/CVERecord?id=CVE-2026-46720 related

cve.org (CVE-2026-46740)

nvd.nist.gov (CVE-2026-46740)

Download JSON