Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections
Summary
| CVE | CVE-2026-46720 |
|---|---|
| State | PUBLISHED |
| Assigner | CPANSec |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-17 18:16:27 UTC |
| Updated | 2026-05-17 18:16:27 UTC |
| Description | Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. |
Risk And Classification
Problem Types: CWE-93 | CWE-93 CWE-93 Improper Neutralization of CRLF Sequences
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | RRWO | NetStatsdTiny | affected 0.3.8 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| metacpan.org/release/RRWO/Net-Statsd-Tiny-v0.3.8/changes | 9b29abf9-4ab0-4765-b253-1875cd9b441e | metacpan.org | |
| www.cve.org/CVERecord | 9b29abf9-4ab0-4765-b253-1875cd9b441e | www.cve.org | |
| github.com/robrwo/Net-Statsd-Tiny/commit/06f814f52fbcc0b2afddf7a2d6f8137... | 9b29abf9-4ab0-4765-b253-1875cd9b441e | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-05-14T00:00:00.000Z | Issue reported to CPANSec |
| CNA | 2026-05-15T00:00:00.000Z | Author notified |
| CNA | 2026-05-17T00:00:00.000Z | Fix released |
Solutions
CNA: Upgrade to Net::Statsd::Time version 0.3.8 or later.
Workarounds
CNA: Apply the patch. Alternatively, validate that all metrics and setr values sent to the client based on untrusted data do not contain metric injections This is the same issue CVE-2026-46719 that affected Net::Statsd::Lite.
There are currently no legacy QID mappings associated with this CVE.