Skip to main content

Net::Statsd::Lite CVE-2026-46719

| EUVDEUVD-2026-30672 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-05-16 CPANSec GHSA-2x39-j499-jv87
6.5
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from Vendor (CPANSec) · only source for this CVE.

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Source Code Evidence Fetched
May 19, 2026 - 14:23 vuln.today
Analysis Generated
May 19, 2026 - 14:23 vuln.today
CVSS changed
May 19, 2026 - 14:22 NVD
6.5 (MEDIUM)
CVE Published
May 16, 2026 - 13:37 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections.

The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

AnalysisAI

Metric injection in Net::Statsd::Lite (Perl) affects all releases before v0.9.0, allowing unauthenticated remote attackers to inject arbitrary statsd metrics by embedding newline, colon, or pipe characters into metric names derived from untrusted input. Because the statsd wire protocol uses these characters as record separators and field delimiters, an unsanitized metric name can smuggle additional forged metrics into the UDP stream transmitted to a statsd daemon, corrupting monitoring and telemetry data. No public exploit code exists at time of analysis and the EPSS score of 0.01% (1st percentile) indicates negligible observed exploitation activity; however, the patch diff makes exploitation trivially constructible by any attacker who can influence metric name values in a vulnerable application.

Technical ContextAI

Net::Statsd::Lite is a lightweight Perl CPAN module (author: RRWO; CPE: cpe:2.3:a:rrwo:net::statsd::lite:*:*:*:*:*:*:*:*) that sends metrics to a statsd daemon over UDP. The statsd wire protocol encodes metrics in the format <name>:<value>|<type>, with newlines used to separate multiple metric records in a single datagram. Because colons and pipes delimit fields within a record, and newlines delimit records themselves, injecting any of these characters into a metric name allows the construction of fully-formed additional metric records. CWE-93 (Improper Neutralization of CRLF Sequences / CRLF Injection) precisely characterizes the root cause: the library accepted user-controlled metric name strings without rejecting or stripping protocol-significant characters. The v0.9.0 fix, visible in the public commit diff, adds two croak guards in lib/Net/Statsd/Lite.pm: one rejecting metric names matching /[\n:|]/ and one rejecting suffixes matching /[\n]/, refusing malformed input at the library boundary rather than silently passing it through.

RemediationAI

Upgrade Net::Statsd::Lite to version 0.9.0 or later - this is the vendor-released patch confirmed by both the CPAN changelog (https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.9.0/changes) and the public commit (https://github.com/robrwo/Net-Statsd-Lite/commit/e1a8ab866d75c2827982134e9cf7e51a7f771153.patch). Install via cpanm Net::Statsd::Lite or your organization's preferred CPAN mirror. If an immediate upgrade is blocked (e.g., by frozen dependency trees), a compensating control is to sanitize or reject any user-controlled string at the application layer before passing it as a metric name - specifically, strip or refuse strings matching /[\n:|]/. This workaround must be applied consistently at every call site that feeds external data into Net::Statsd::Lite, introducing maintenance complexity; upgrading to v0.9.0 is the definitive and recommended resolution with no known functional regressions.

More in Net

View all
CVE-2026-33811 HIGH POC
7.5 May 07

Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing mali

CVE-2018-17848 HIGH POC
7.5 Oct 01

The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "

CVE-2018-17847 HIGH POC
7.5 Oct 01

The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading

CVE-2018-17143 HIGH POC
7.5 Sep 17

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a

CVE-2018-17142 HIGH POC
7.5 Sep 17

The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "pani

CVE-2018-17075 HIGH POC
7.5 Sep 16

The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic:

CVE-2026-45491 MEDIUM POC
5.5 Jun 09

Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthe

CVE-2024-43498 CRITICAL
9.8 Nov 12

.NET and Visual Studio Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-36049 CRITICAL
9.8 Nov 14

.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.8), this v

CVE-2024-57854 CRITICAL
9.1 Mar 05

Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.

CVE-2026-11373 CRITICAL
9.1 Jun 22

Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric name

CVE-2026-45591 HIGH
7.5 Jun 09

Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disru

Share

CVE-2026-46719 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy