Description
Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections.

The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Published: 2026-05-17
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::Statsd::Tiny versions before 0.3.8 do not validate metric names or values for newlines, colons, or pipes, which allows an attacker to inject arbitrary StatsD metrics. An attacker who supplies untrusted metric data could cause the library to send unintended metrics to the StatsD server, corrupting data integrity, misrepresenting monitoring dashboards, or flooding the server with unwanted metrics.

Affected Systems

All installations of the Perl module Net::Statsd::Tiny prior to version 0.3.8. The vendor RRWO identifies the affected product. No specific operating system or environment constraints; any environment using this module and receiving untrusted metric input is susceptible.

Risk and Exploitability

The EPSS score is <1% and the vulnerability is not listed in the CISA KEV catalog, so the baseline risk in terms of exploitation probability remains low. The CVSS score of 8.2 indicates high severity. Based on the description, the likely attack vector is supply‑chain or injection via untrusted metric input, which does not require privileged access. An attacker able to control metric data can exploit the flaw remotely, injecting additional metrics and potentially affecting data integrity or causing denial‑of‑service by flooding the StatsD server.

Generated by OpenCVE AI on May 18, 2026 at 15:36 UTC.

Remediation

Vendor Solution

Upgrade to Net::Statsd::Tiny version 0.3.8 or later.

Vendor Workaround

Apply the patch. Alternatively, validate that all metrics and setr values sent to the client based on untrusted data do not contain metric injections This is the same issue CVE-2026-46719 that affected Net::Statsd::Lite.

OpenCVE Recommended Actions

  • Upgrade to Net::Statsd::Time version 0.3.8 or later.
  • Apply the official patch provided in the Net::Statsd::Tiny repository.
  • When upgrading is not immediately possible, validate that any metric names and values supplied from untrusted sources do not contain newlines, colons, or pipe characters before passing them to the library.

Generated by OpenCVE AI on May 18, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Rrwo
Rrwo net::statsd::tiny
Vendors & Products Rrwo
Rrwo net::statsd::tiny

Sun, 17 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Title Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections
Weaknesses CWE-93
References

Subscriptions

Rrwo Net::statsd::tiny
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-26T22:47:36.662Z

Reserved: 2026-05-16T00:56:00.338Z

Link: CVE-2026-46720

cve-icon Vulnrichment

Updated: 2026-05-18T12:54:18.578Z

cve-icon NVD

Status : Deferred

Published: 2026-05-17T18:16:27.397

Modified: 2026-05-18T17:40:45.343

Link: CVE-2026-46720

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T15:45:26Z

Weaknesses
  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')