CVE-2026-9270 - Vulnerability Details

Description

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections.

DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.

The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix.

The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram.

The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections.

Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.

Published: 2026-06-05

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

DataDog::DogStatsd for Perl libraries up to and including version 0.07 do not properly sanitize input used in the send_stats method. The library fails to strip newlines from metric names, fails to validate the content of the metric value, and fails to prevent the inclusion of newlines, pipes, and colons in tags. These deficiencies allow an attacker to craft arbitrary metric names, inject unintended metrics, and manipulate tag values, enabling the client to corrupt monitoring data and potentially mislead dashboards and alerts.

Affected Systems

All installations of the DataDog::DogStatsd Perl library with versions through 0.07 are affected. This includes any application employing the library without additional sanitisation, regardless of the environment in which it runs.

Risk and Exploitability

The vulnerability can be exploited whenever untrusted data is supplied to the vulnerable methods – for example, from web form inputs or other user‑controlled sources. Because the flaw only corrupts metric data and does not provide code execution, the risk mainly concerns integrity of monitoring data and the accuracy of alert conditions. There is no publicly available exploit or listing in the CISA KEV catalog, and the EPSS score is not available, suggesting that the exploitation probability is uncertain. The most likely attack vector is through application components that accept external input and forward it to the DogStatsd send_stats routine without validation. Administrators should treat the situation as a significant integrity risk, especially in environments where accurate metrics drive operational or security decisions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

BINARY

DataDog::DogStatsd

unaffected

Version	Status	Constraints
`0`	affected	≤ 0.07

No data.

No data available yet.

Remediation

Vendor Workaround

Ensure that metric names, values and tags come from trusted sources or are properly sanitised.

OpenCVE Recommended Actions

Upgrade DataDog::DogStatsd to a release newer than version 0.07 (e.g., 0.08 or later) which includes proper sanitisation of metric names, values, and tags.
Before passing any metric name, value, or tag to send_stats, strip or reject newlines and ensure the strings contain only alphanumeric characters and the allowed delimiter characters; enforce a strict whitelist of permissible characters.
Validate that numeric parameters such as the delta value in set, gauge, count, and histogram calls are truly numeric, rejecting or coercing any non‑numeric input before the call is made.

Generated by OpenCVE AI on June 5, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.cve.org/CVERecord?id=CVE-2026-46719
https://www.cve.org/CVERecord?id=CVE-2026-46720
https://www.cve.org/CVERecord?id=CVE-2026-46741

History

Fri, 05 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix. The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram. The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections. Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.
Title		DataDog::DogStatsd versions through 0.07 for Perl allow metric injections
Weaknesses		CWE-150 CWE-93
References		https://www.cve.org/CVERecord?id=CVE-2026-46719 https://www.cve.org/CVERecord?id=CVE-2026-46720 https://www.cve.org/CVERecord?id=CVE-2026-46741

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-06-05T14:49:39.714Z

Updated: 2026-06-05T14:49:39.714Z

Reserved: 2026-05-22T10:23:06.050Z

Link: CVE-2026-9270

Vulnrichment

No data.

NVD

Status : Undergoing Analysis

Published: 2026-06-05T16:16:41.780

Modified: 2026-06-05T17:04:07.863

Link: CVE-2026-9270

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-05T16:30:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object