Skip to main content

DataDog::DogStatsd EUVDEUVD-2026-34846

| CVE-2026-9270 CRITICAL
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-05 CPANSec GHSA-x9rg-6x4w-mpcx
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 19:22 vuln.today
CVSS changed
Jun 08, 2026 - 19:22 NVD
9.1 (CRITICAL)
CVE Published
Jun 05, 2026 - 14:49 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections.

DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.

The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix.

The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram.

The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections.

Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.

AnalysisAI

Metric injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows remote attackers to forge or manipulate StatsD metrics by supplying unsanitised input containing newlines, pipes, or colons in stat names, values, or tags. With a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) rating and CWE-93 (CRLF Injection) classification, attackers can corrupt monitoring data, change metric name prefixes, or inject arbitrary metrics - the SYNOPSIS example of passing a web form 'loginName' parameter as a tag is explicitly called out as unsafe. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Perl app using DogStatsd
Delivery
Find input reflected into metric tag/name
Exploit
Submit payload with newline and pipe
Execution
Library forwards unsanitised string to StatsD
Persist
Datadog Agent parses injected metric line
Impact
Poisoned metrics corrupt dashboards and alerts

Vulnerability AssessmentAI

Exploitation Exploitation requires that the host Perl application call DataDog::DogStatsd's send_stats (directly or via the set/gauge/count/histogram wrappers) with attacker-influenced data in the $stat name, $delta value, or tags arguments - exactly the pattern shown in the module's own SYNOPSIS where a web form 'loginName' parameter is used as a tag. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals here are sharply divergent and require careful interpretation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A Perl web application uses DataDog::DogStatsd to record a login attempt and, following the module's SYNOPSIS example, passes the submitted loginName as a tag. An attacker submits a loginName like 'admin\nattacker.metric:9999|c|#env:prod' which, when serialised by send_stats, breaks the StatsD line and injects an arbitrary 'attacker.metric' counter into Datadog, poisoning dashboards, triggering false alerts, or masking real anomalies. …
Remediation No vendor-released patch version is identified in the provided data - the input states the issue affects versions through 0.07 but does not name a fixed release, so monitor CPAN and the Datadog repository for an updated DataDog::DogStatsd module above 0.07 and upgrade once available (https://nvd.nist.gov/vuln/detail/CVE-2026-9270 and https://seclists.org/oss-sec/2026/q2/826 are the authoritative tracking advisories). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems using DataDog::DogStatsd 0.07 or earlier; identify applications passing untrusted input (web forms, APIs, user data) to metric names, values, or tags. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-34846 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy