CVE-2026-46741 - Vulnerability Details

- Etsy::StatsD versions through 1.002002 for Perl allow metric injections

Description

Etsy::StatsD versions through 1.002002 for Perl allow metric injections.

The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

Note that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections.

Published: 2026-06-04

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Etsy::StatsD libraries for Perl up to 1.002002 do not sanitize metric names and values for newlines, colons, or pipe characters, allowing an attacker to inject additional metrics into the StatsD stream. If untrusted data is submitted, the library interprets injected delimiters as separate metrics, potentially leading to inaccurate monitoring data or denial of service through excessive metric creation.

Affected Systems

The vulnerability affects the SANBEG Etsy::StatsD Perl library, specifically all releases through version 1.002002. An unreleased development build also contains gauge and set methods that lack protection against injection, meaning any environment using the current or older releases is susceptible.

Risk and Exploitability

The CVSS score of 7.5 indicates significant severity, and the EPSS score is less than 1%, indicating a low but nonzero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting limited exposure data. If an application can cause the library to process inputs from untrusted sources, an attacker can inject arbitrary metrics. The likely attack vector is any input forwarded to the StatsD client, whether from user traffic, external services, or internal data feeds. Exploitation requires only the ability to influence metric submissions, a condition that may arise in many server or monitoring setups that forward untrusted data to Etsy::StatsD.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SANBEG

Etsy::StatsD

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.002002

Configuration 1 [-]

cpe:2.3:a:sanbeg:etsy\:\:statsd:*:*:*:*:*:perl:*:*

No data.

Vendor Product Confidence Versions

Sanbeg

Etsy::statsd

100%

Version	Status	Scheme	Platform
`[0,1.002002]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

Ensure only trusted data is submitted to metrics.

OpenCVE Recommended Actions

Upgrade to a patched version of Etsy::StatsD if a newer release that sanitizes metric input is available.
Strictly limit the data sent to the StatsD client to trusted sources only, as recommended in the vendor workaround.
Validate metric names and values before they are passed to Etsy::StatsD, ensuring no newlines, colons, or pipe characters are present.

Generated by OpenCVE AI on June 19, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00262.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.cve.org/CVERecord?id=CVE-2026-46719
https://www.cve.org/CVERecord?id=CVE-2026-46720

History

Fri, 19 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-150

Mon, 08 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sanbeg etsy\
CPEs		cpe:2.3:a:sanbeg:etsy\:\:statsd::::::perl::*
Vendors & Products		Sanbeg etsy\

Fri, 05 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sanbeg Sanbeg etsy::statsd
Vendors & Products		Sanbeg Sanbeg etsy::statsd

Thu, 04 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 04 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Etsy::StatsD versions through 1.002002 for Perl allow metric injections. The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections.
Title		Etsy::StatsD versions through 1.002002 for Perl allow metric injections
Weaknesses		CWE-93
References		https://www.cve.org/CVERecord?id=CVE-2026-46719 https://www.cve.org/CVERecord?id=CVE-2026-46720

Subscriptions

Sanbeg Etsy::statsd Etsy\

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-06-04T15:54:48.934Z

Updated: 2026-06-19T15:31:51.624Z

Reserved: 2026-05-17T18:04:31.500Z

Link: CVE-2026-46741

Vulnrichment

Updated: 2026-06-04T17:39:30.765Z

NVD

Status : Analyzed

Published: 2026-06-04T17:16:32.790

Modified: 2026-06-08T16:33:05.893

Link: CVE-2026-46741

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-19T21:15:16Z

Weaknesses

CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object