CVE-2026-8722 - Vulnerability Details

- Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections

Description

Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections.

The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

Published: 2026-06-03

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from the Net::Async::Statsd::Client library not sanitizing metric names that include newlines, colons, or pipe characters. An attacker or any untrusted source can craft metric input that injects additional statsd metrics, resulting in corrupted or misleading monitoring data and potentially exhausting the statsd server capacity. This flaw is a form of data injection (CWE-150 and CWE-93) and directly affects the integrity of metrics but does not provide code execution or privilege escalation.

Affected Systems

Net::Async::Statsd::Client for Perl, versions up to and including 0.005, is affected. No other product or version information is available in the CNA record.

Risk and Exploitability

Because the flaw permits injection of arbitrary metrics, it can be leveraged in environments where the client accepts data from untrusted or semi‑trusted sources. The CVSS score of 6.5 indicates moderate risk, and the EPSS score of < 1% suggests a low probability of exploitation; the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a local or remote component that can supply input to the Statsd client; if that component is compromised or misconfigured, metric injection is feasible. The CNA offers only a workaround by ensuring only trusted data is submitted, so any attempt to exploit this flaw requires bypassing that limitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TEAM

Net::Async::Statsd::Client

unaffected

Version	Status	Constraints
`0`	affected	≤ 0.005

Configuration 1 [-]

cpe:2.3:a:team:net\:\:async\:\:statsd\:\:client:*:*:*:*:*:perl:*:*

No data.

Vendor Product Confidence Versions

Team

Net::async::statsd::client

100%

Version	Status	Scheme	Platform
`[0,0.005]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

Ensure only trusted data is submitted to metrics.

OpenCVE Recommended Actions

Ensure that only trusted or validated data is sent to the Statsd client; discard or sanitize untrusted input beforehand.
Implement validation checks against metric names, rejecting any newlines, colons, or pipe characters to prevent injection.
Proceed to update the Net::Async::Statsd::Client library to a version newer than 0.005 once available or consider replacing it with a library that performs strict input validation.

Generated by OpenCVE AI on June 19, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00203.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.cve.org/CVERecord?id=CVE-2026-46719
https://www.cve.org/CVERecord?id=CVE-2026-46720

History

Fri, 19 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-150

Mon, 08 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Team net\
CPEs		cpe:2.3:a:team:net\:\:async\:\:statsd\:\:client::::::perl::*
Vendors & Products		Team net\

Fri, 05 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Team Team net::async::statsd::client
Vendors & Products		Team Team net::async::statsd::client

Thu, 04 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 04 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Description		Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Title		Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections
Weaknesses		CWE-93
References		https://www.cve.org/CVERecord?id=CVE-2026-46719 https://www.cve.org/CVERecord?id=CVE-2026-46720

Subscriptions

Team Net::async::statsd::client Net\

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-06-03T23:45:27.353Z

Updated: 2026-06-19T15:33:53.933Z

Reserved: 2026-05-16T01:26:22.806Z

Link: CVE-2026-8722

Vulnrichment

Updated: 2026-06-04T18:28:20.686Z

NVD

Status : Analyzed

Published: 2026-06-04T00:17:00.333

Modified: 2026-06-08T16:39:33.110

Link: CVE-2026-8722

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-19T21:30:17Z

Weaknesses

CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object