Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections.
DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.
The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix.
The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram.
The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections.
Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.
AnalysisAI
Metric injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows remote attackers to forge or manipulate StatsD metrics by supplying unsanitised input containing newlines, pipes, or colons in stat names, values, or tags. With a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) rating and CWE-93 (CRLF Injection) classification, attackers can corrupt monitoring data, change metric name prefixes, or inject arbitrary metrics - the SYNOPSIS example of passing a web form 'loginName' parameter as a tag is explicitly called out as unsafe. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the host Perl application call DataDog::DogStatsd's send_stats (directly or via the set/gauge/count/histogram wrappers) with attacker-influenced data in the $stat name, $delta value, or tags arguments - exactly the pattern shown in the module's own SYNOPSIS where a web form 'loginName' parameter is used as a tag. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals here are sharply divergent and require careful interpretation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A Perl web application uses DataDog::DogStatsd to record a login attempt and, following the module's SYNOPSIS example, passes the submitted loginName as a tag. An attacker submits a loginName like 'admin\nattacker.metric:9999|c|#env:prod' which, when serialised by send_stats, breaks the StatsD line and injects an arbitrary 'attacker.metric' counter into Datadog, poisoning dashboards, triggering false alerts, or masking real anomalies. … |
| Remediation | No vendor-released patch version is identified in the provided data - the input states the issue affects versions through 0.07 but does not name a fixed release, so monitor CPAN and the Datadog repository for an updated DataDog::DogStatsd module above 0.07 and upgrade once available (https://nvd.nist.gov/vuln/detail/CVE-2026-9270 and https://seclists.org/oss-sec/2026/q2/826 are the authoritative tracking advisories). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems using DataDog::DogStatsd 0.07 or earlier; identify applications passing untrusted input (web forms, APIs, user data) to metric names, values, or tags. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34846
GHSA-x9rg-6x4w-mpcx