CVE-2026-46739 - Vulnerability Details

- Net::Statsd versions before 0.13 for Perl allow metric injections

Description

Net::Statsd versions before 0.13 for Perl allow metric injections.

The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

The update_stats (used for updating counters) and gauge methods do not check that values are numeric (which would block metric injection).

Published: 2026-06-04

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Net::Statsd versions older than 0.13 for Perl do not sanitize metric names, allowing newlines, colons, or pipe characters to appear in metric identifiers. Additionally, the update_stats and gauge methods accept values without confirming that they are numeric. An attacker who can inject data sent to a StatsD server can therefore add arbitrary metric names and values, potentially flooding the monitoring system, corrupting statistics, or leaking sensitive information if metric names include confidential data. This flaw is an input validation weakness identified as CWE‑93 and also constitutes a data injection issue categorized under CWE‑150.

Affected Systems

The affected product is Net::Statsd for Perl, versions prior to 0.13 released by the COSIMO vendor. No other vendors or versions are explicitly enumerated in the advisory.

Risk and Exploitability

The CVSS score is 5.3, and the EPSS score is 0.00268, indicating a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a remote network attacker that can send properly formatted packets to the StatsD server. The vulnerability can be exploited without special privileges or authentication, as any source able to reach the StatsD port can craft metric injections. The impact revolves around data integrity and availability of the monitoring system rather than confidentiality.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

COSIMO

Net::Statsd

unaffected

Version	Status	Constraints
`0`	affected	< 0.13

Configuration 1 [-]

cpe:2.3:a:cosimo:net\:\:statsd:*:*:*:*:*:perl:*:*

No data.

Vendor Product Confidence Versions

Cosimo

Net::statsd

100%

Version	Status	Scheme	Platform
`[0,0.13)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to version 0.13 or later.

Vendor Workaround

Apply the linked pull request. Otherwise ensure only trusted data is submitted to metrics.

OpenCVE Recommended Actions

Upgrade to Net::Statsd version 0.13 or later.
Apply the linked pull request provided by the vendor to mitigate the issue.
Ensure that only trusted data is submitted to the StatsD server; validate metric names and values before sending.

Generated by OpenCVE AI on June 19, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00258.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/cosimo/perl5-net-statsd/pull/10
https://www.cve.org/CVERecord?id=CVE-2026-46719
https://www.cve.org/CVERecord?id=CVE-2026-46720

History

Fri, 19 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-150

Mon, 08 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cosimo net\
CPEs		cpe:2.3:a:cosimo:net\:\:statsd::::::perl::*
Vendors & Products		Cosimo net\

Fri, 05 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cosimo Cosimo net::statsd
Vendors & Products		Cosimo Cosimo net::statsd

Thu, 04 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 04 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Net::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. The update_stats (used for updating counters) and gauge methods do not check that values are numeric (which would block metric injection).
Title		Net::Statsd versions before 0.13 for Perl allow metric injections
Weaknesses		CWE-93
References		https://github.com/cosimo/perl5-net-statsd/pull/10 https://www.cve.org/CVERecord?id=CVE-2026-46719 https://www.cve.org/CVERecord?id=CVE-2026-46720

Subscriptions

Cosimo Net::statsd Net\

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-06-04T15:45:23.797Z

Updated: 2026-06-19T15:30:27.660Z

Reserved: 2026-05-17T18:04:31.499Z

Link: CVE-2026-46739

Vulnrichment

Updated: 2026-06-04T17:47:17.653Z

NVD

Status : Analyzed

Published: 2026-06-04T17:16:32.663

Modified: 2026-06-08T16:31:06.713

Link: CVE-2026-46739

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-19T21:15:16Z

Weaknesses

CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object