CVE-2026-8788 | THREATINT

Description

Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names.

PUBLISHED Reserved 2026-05-17 | Published 2026-05-18 | Updated 2026-05-19 | Assigner CPANSec

Problem types

CWE-93 Improper Neutralization of CRLF Sequences

Product status

Default status

unaffected

Any version

affected

Timeline

2026-05-14:	Issue reported to CPANSec
2026-05-15:	Author notified
2026-05-16:	Fix released for CVE-2026-46719
2026-05-17:	CVE-2026-8788 identified by author
2025-05-17:	Fix released for CVE-2026-8788

References

metacpan.org/release/RRWO/Net-Statsd-Lite-v0.10.1/changes release-notes

www.cve.org/CVERecord?id=CVE-2026-46719 related

cve.org (CVE-2026-8788)

nvd.nist.gov (CVE-2026-8788)

Download JSON