HIGHCVE-2026-46720Published 2026-05-17Modified 2026-05-26CNA CPANSec

CVE-2026-46720: Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections

Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: 0.3.8
Affected Products: 1

Fix available

0.3.8

Patch commits

github.com

Affected packages

RRWO / Net::Statsd::Tiny
< 0.3.8 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

References

metacpan.org
github.com
cve.org