Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections
Summary
| CVE | CVE-2026-46740 |
|---|---|
| State | PUBLISHED |
| Assigner | CPANSec |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-26 23:16:20 UTC |
| Updated | 2026-05-27 19:38:33 UTC |
| Description | Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Version 0.06 changes the module from being a statsd client to using a separate statsd client. It defaults to using a version of Net::Statsd::Tiny that fixes a similar issue (CVE-2026-46720). |
Risk And Classification
EPSS: 0.000080000 probability, percentile 0.008070000 (date 2026-05-27)
Problem Types: CWE-93 | CWE-93 CWE-93 Improper Neutralization of CRLF Sequences
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | RRWO | MojoliciousPluginStatsd | affected 0.04 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.cve.org/CVERecord | 9b29abf9-4ab0-4765-b253-1875cd9b441e | www.cve.org | |
| metacpan.org/release/RRWO/Mojolicious-Plugin-Statsd-0.06/changes | 9b29abf9-4ab0-4765-b253-1875cd9b441e | metacpan.org | |
| github.com/robrwo/perl-Mojolicious-Plugin-Statsd/commit/f049156982a2c0b8... | 9b29abf9-4ab0-4765-b253-1875cd9b441e | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
Solutions
CNA: Upgrade to Mojolicious::Plugin::Statsd version 0.06 or later.
There are currently no legacy QID mappings associated with this CVE.