Skip to main content

Datadog

2 CVEs product

Monthly

CVE-2026-11362 CRITICAL Act Now

Metric and tag injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows attackers who control event tag content to inject arbitrary metrics, tags, and event data into the DogStatsd telemetry stream. The CVSS 9.8 score reflects an unauthenticated network-vector CWE-93 (CRLF/separator injection) flaw where the format_event method fails to sanitize commas, newlines, pipes, and colons - including an ineffective s/|//g regex that misinterprets the pipe as a regex metacharacter. No public exploit identified at time of analysis and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation interest despite the high CVSS rating.

Code Injection Datadog
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-9270 CRITICAL Act Now

Metric injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows remote attackers to forge or manipulate StatsD metrics by supplying unsanitised input containing newlines, pipes, or colons in stat names, values, or tags. With a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) rating and CWE-93 (CRLF Injection) classification, attackers can corrupt monitoring data, change metric name prefixes, or inject arbitrary metrics - the SYNOPSIS example of passing a web form 'loginName' parameter as a tag is explicitly called out as unsafe. EPSS is very low (0.03%) and no public exploit identified at time of analysis, but the trivial network attack profile means risk depends entirely on whether untrusted input reaches the library.

Code Injection Datadog
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
EPSS 0% CVSS 9.8
CRITICAL Act Now

Metric and tag injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows attackers who control event tag content to inject arbitrary metrics, tags, and event data into the DogStatsd telemetry stream. The CVSS 9.8 score reflects an unauthenticated network-vector CWE-93 (CRLF/separator injection) flaw where the format_event method fails to sanitize commas, newlines, pipes, and colons - including an ineffective s/|//g regex that misinterprets the pipe as a regex metacharacter. No public exploit identified at time of analysis and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation interest despite the high CVSS rating.

Code Injection Datadog
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Metric injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows remote attackers to forge or manipulate StatsD metrics by supplying unsanitised input containing newlines, pipes, or colons in stat names, values, or tags. With a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) rating and CWE-93 (CRLF Injection) classification, attackers can corrupt monitoring data, change metric name prefixes, or inject arbitrary metrics - the SYNOPSIS example of passing a web form 'loginName' parameter as a tag is explicitly called out as unsafe. EPSS is very low (0.03%) and no public exploit identified at time of analysis, but the trivial network attack profile means risk depends entirely on whether untrusted input reaches the library.

Code Injection Datadog
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy