Description
Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections.

Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd.

Newlines are not removed from metric names, allowing metric injections.

Values are not sanitised for newlines or other protocol control characters such as colons or pipes, allowing metric injections.
Published: 2026-06-22
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::Statsite::Client versions through 1.1.0 contain a flaw that allows metric injection because newline, colon, and pipe characters are not removed or sanitized from metric names and values. This omission permits an attacker to craft messages that introduce additional metrics or alter the format of metric transmissions, which can lead to unexpected metric collection, resource exhaustion, or interference with monitoring infrastructure. The weakness is linked to CWE‑150 and CWE‑93 weaknesses regarding improper validation of input data.

Affected Systems

The affected product is JASEI's Net::Statsite::Client. All releases up to and including version 1.1.0 are vulnerable. No other versions are listed as affected.

Risk and Exploitability

The CVSS score is not present and EPSS data is unavailable, and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector requires the ability to influence data passed to the Net::Statsite::Client library, typically through a local application that uses the client. Based on the description, the dependency on untrusted input is inferred; the threat model assumes that an attacker can manipulate the data sent to the client. If an application exposes untrusted input to the client, an attacker could exploit the injection locally but remote exploitation would require additional conditions that are not documented in the description.

Generated by OpenCVE AI on June 22, 2026 at 13:50 UTC.

Remediation

Vendor Workaround

Apply the patch. Otherwise ensure that metric names and values come from trusted sources or are properly sanitised.

OpenCVE Recommended Actions

  • Apply the official patch (CVE‑2026‑11373‑r1) to upgrade Net::Statsite::Client to a non‑vulnerable version.
  • Validate and sanitize all metric names and values prior to sending them to Statsite, removing newlines, colons, pipes, and any other control characters.
  • If upgrading immediately is not viable, isolate the Statsite client to a trusted environment, and enforce strict input validation on all data that reaches the client.

Generated by OpenCVE AI on June 22, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol control characters such as colons or pipes, allowing metric injections.
Title Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections
Weaknesses CWE-150
CWE-93
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-22T11:28:06.211Z

Reserved: 2026-06-05T12:15:54.476Z

Link: CVE-2026-11373

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T14:00:18Z

Weaknesses
  • CWE-150

    Improper Neutralization of Escape, Meta, or Control Sequences

  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')