CVE-2026-46739

Severity CVSS v4.0:
Pending analysis
Type:
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Publication date:
04/06/2026
Last modified:
19/06/2026

Description

Net::Statsd versions before 0.13 for Perl allow metric injections.<br /> <br /> The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.<br /> <br /> The update_stats (used for updating counters) and gauge methods do not check that values are numeric (which would block metric injection).

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:cosimo:net\:\:statsd:*:*:*:*:*:perl:*:* 0.13 (excluding)