{"api_version":"1","generated_at":"2026-05-11T11:03:33+00:00","cve":"CVE-2026-45180","urls":{"html":"https://cve.report/CVE-2026-45180","api":"https://cve.report/api/cve/CVE-2026-45180.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-45180","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-45180"},"summary":{"title":"Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids","description":"Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids.\n\nIf the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked.  This may allow an attacker to use session ids as authentication tokens.","state":"PUBLISHED","assigner":"CPANSec","published_at":"2026-05-10 21:16:29","updated_at":"2026-05-10 21:16:29"},"problem_types":["CWE-319","CWE-319 CWE-319 Cleartext Transmission of Sensitive Information"],"metrics":[],"references":[{"url":"https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx","name":"https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx","refsource":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://metacpan.org/release/RRWO/Catalyst-Plugin-Statsd-v0.10.0/changes","name":"https://metacpan.org/release/RRWO/Catalyst-Plugin-Statsd-v0.10.0/changes","refsource":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/robrwo/CatalystX-Statsd/security/advisories/GHSA-gjvr-hq83-fc38","name":"https://github.com/robrwo/CatalystX-Statsd/security/advisories/GHSA-gjvr-hq83-fc38","refsource":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-45179","name":"https://www.cve.org/CVERecord?id=CVE-2026-45179","refsource":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-45180","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45180","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"RRWO","product":"Catalyst::Plugin::Statsd","version":"affected 0.10.0 custom","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Upgrade to version 0.10.0 of later, which will no longer log session ids to statsd.\n\nIf Plack::Middleware::Statsd is upgraded to 0.9.0 or later and is configured to log some information securely, then session ids will be logged as HMAC signatures instead.","time":"","lang":"en"}],"workarounds":[{"source":"CNA","title":"","value":"Use a statsd daemon on the same host or through a secure communications channel.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"collectionURL":"https://cpan.org/modules","defaultStatus":"unaffected","packageName":"Catalyst-Plugin-Statsd","product":"Catalyst::Plugin::Statsd","repo":"https://github.com/robrwo/CatalystX-Statsd","vendor":"RRWO","versions":[{"lessThanOrEqual":"0.10.0","status":"affected","version":"0","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids.\n\nIf the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked.  This may allow an attacker to use session ids as authentication tokens."}],"impacts":[{"capecId":"CAPEC-102","descriptions":[{"lang":"en","value":"CAPEC-102 Session Sidejacking"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-319","description":"CWE-319 Cleartext Transmission of Sensitive Information","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-10T20:03:18.315Z","orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec"},"references":[{"tags":["vendor-advisory"],"url":"https://github.com/robrwo/CatalystX-Statsd/security/advisories/GHSA-gjvr-hq83-fc38"},{"tags":["release-notes"],"url":"https://metacpan.org/release/RRWO/Catalyst-Plugin-Statsd-v0.10.0/changes"},{"tags":["related"],"url":"https://www.cve.org/CVERecord?id=CVE-2026-45179"},{"tags":["related"],"url":"https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx"}],"solutions":[{"lang":"en","value":"Upgrade to version 0.10.0 of later, which will no longer log session ids to statsd.\n\nIf Plack::Middleware::Statsd is upgraded to 0.9.0 or later and is configured to log some information securely, then session ids will be logged as HMAC signatures instead."}],"source":{"discovery":"UNKNOWN"},"title":"Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids","workarounds":[{"lang":"en","value":"Use a statsd daemon on the same host or through a secure communications channel."}],"x_generator":{"engine":"cpansec-cna-tool 0.1"}}},"cveMetadata":{"assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","assignerShortName":"CPANSec","cveId":"CVE-2026-45180","datePublished":"2026-05-10T20:03:18.315Z","dateReserved":"2026-05-09T18:57:17.867Z","dateUpdated":"2026-05-10T20:03:18.315Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-10 21:16:29","lastModifiedDate":"2026-05-10 21:16:29","problem_types":["CWE-319","CWE-319 CWE-319 Cleartext Transmission of Sensitive Information"],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"45180","Ordinal":"1","Title":"Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may le","CVE":"CVE-2026-45180","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"45180","Ordinal":"1","NoteData":"Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids.\n\nIf the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked.  This may allow an attacker to use session ids as authentication tokens.","Type":"Description","Title":"Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may le"}]}}}