Skip to main content

Net::Statsite::Client CVE-2026-11373

| EUVDEUVD-2026-38224 CRITICAL
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-22 CPANSec GHSA-g5q2-6jvc-qfhh
9.1
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
5.8 MEDIUM

Network-reachable via the calling app, no auth or UI; impact is limited integrity of the downstream monitoring system (scope changed), with no confidentiality or availability effect - so C:N, I:L, A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 22, 2026 - 16:53 vuln.today
CVSS changed
Jun 22, 2026 - 16:52 NVD
9.1 (CRITICAL)
CVE Published
Jun 22, 2026 - 11:28 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections.

Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd.

Newlines are not removed from metric names, allowing metric injections.

Values are not sanitised for newlines or other protocol control characters such as colons or pipes, allowing metric injections.

AnalysisAI

Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric names or values to inject arbitrary statsite protocol commands by smuggling newlines, colons, and pipe characters that the library fails to sanitize. The flaw maps to CWE-93 (CRLF Injection) and affects any application that forwards untrusted input into metric reporting. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Perl service emitting user-derived metrics
Delivery
Submit input containing newline and pipe characters
Exploit
Library forwards unsanitized string to statsite
Execution
Collector parses injected metric line
Persist
Falsified data lands in monitoring backend
Impact
Dashboards and alert thresholds corrupted

Vulnerability AssessmentAI

Exploitation Exploitation requires a Perl application that uses Net::Statsite::Client and passes attacker-influenced string data directly into a metric name or metric value argument without prior sanitization; the attacker also needs a statsite (or compatible statsd) collector downstream that will parse the resulting line-delimited stream. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1) appears inflated for the actual flaw: metric injection has clear integrity impact on monitoring data but no obvious confidentiality impact, so C:H is hard to justify from the description alone. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a username, log message, or HTTP header value containing an embedded newline followed by a forged metric line - for example 'alice\nrevenue.usd:1000000|c' - to a Perl web service that increments a per-user counter via Net::Statsite::Client. The library transmits the raw string to the statsite collector, which parses it as two metrics and records the bogus revenue datapoint, corrupting dashboards and potentially silencing real alerts. …
Remediation Upstream fix available (patch); released patched version not independently confirmed - apply the official patch from https://security.metacpan.org/patches/N/Net-Statsite-Client/1.1.0/CVE-2026-11373-r1.patch and upgrade to the next CPAN release of Net-Statsite-Client above 1.1.0 once published by JASEI. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems and applications using Net::Statsite::Client in your infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Net

View all
CVE-2026-33811 HIGH POC
7.5 May 07

Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing mali

CVE-2026-45491 MEDIUM POC
5.5 Jun 09

Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthe

CVE-2024-57854 CRITICAL
9.1 Mar 05

Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.

CVE-2026-45591 HIGH
7.5 Jun 09

Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disru

CVE-2026-45490 HIGH
7.8 Jun 09

Local privilege escalation in Microsoft .NET allows an authenticated low-privileged user to elevate to higher privileges

CVE-2025-26646 HIGH
8.0 May 13

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized att

CVE-2026-49941 HIGH
7.5 Jun 04

Denial of service in the Perl module Net::CIDR::Set through version 0.20 allows remote unauthenticated attackers to trig

CVE-2026-40198 HIGH
7.5 Apr 10

IPv6 address validation bypass in Net::CIDR::Lite for Perl (versions <0.23) allows remote attackers to circumvent IP acc

CVE-2026-57081 HIGH
7.5 Jun 30

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecod

CVE-2026-57080 HIGH
7.5 Jun 30

Remote memory exhaustion in the Net::BitTorrent Perl module (all versions through 2.0.1) lets any unauthenticated peer i

CVE-2026-45190 MEDIUM
6.5 May 10

Net::CIDR::Lite Perl module versions before 0.24 fail to properly validate IP address and CIDR mask inputs, allowing att

CVE-2026-8722 MEDIUM
6.5 Jun 03

Metric name injection in Net::Async::Statsd::Client (Perl, versions through 0.005) allows network-reachable, unauthentic

Share

CVE-2026-11373 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy