How is CVE-2026-46741 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; an attacker supplies crafted input remotely to influence metric names or values sent to the StatsD backend. Authentication (not-required): No credentials are needed; any unauthenticated party who can influence input processed into a metric name or value can trigger the injection. Victim interaction (not-required): No user action is required; the injection occurs automatically when the application processes attacker-controlled input and forwards it to StatsD. Attack complexity (info): Exploit conditions are straightforward and reliable, requiring no race conditions or special environmental setup beyond supplying input containing newlines, colons, or pipe characters.

What is the impact of CVE-2026-46741?

Attacker injects fabricated metric names and values into the StatsD stream, overwriting or spoofing application performance and business measurements. Monitoring dashboards and alerting rules receive corrupted data, hiding real anomalies or triggering false alerts that obscure genuine incidents. If metric-based autoscaling or rate-limiting decisions rely on StatsD data, injected values can manipulate those automated responses.

Back to search

HIGHCVE-2026-46741Published 2026-06-04Modified 2026-06-04CNA CPANSec

CVE-2026-46741: Etsy::StatsD versions through 1.002002 for Perl allow metric injections

Etsy::StatsD versions through 1.002002 for Perl allow metric injections. The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Metric injection is a flaw in Etsy::StatsD (Perl), affecting all published versions through 1.002002. The library sends metrics to a StatsD backend without stripping newlines, colons, or pipe characters from metric names or values, so an attacker who controls any input used to build a metric can inject arbitrary additional StatsD metrics into the data stream. Successful exploitation allows an attacker to tamper with application metrics, corrupt monitoring data, or fabricate measurements that mask or misrepresent system behavior. HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as a fix version is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from CPANSec and upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Etsy::StatsD as a Perl dependency.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 (HIGH) and applies per-environment compliance policy weighting before routing findings to the appropriate team inbox within each customer organization.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment CPANSec or the maintainer ships a remediated release. In the meantime, affected images are flagged continuously so customers can apply compensating controls.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker supplies crafted input remotely to influence metric names or values sent to the StatsD backend.
AuthenticationNot required
No credentials are needed; any unauthenticated party who can influence input processed into a metric name or value can trigger the injection.
Victim interactionNot required
No user action is required; the injection occurs automatically when the application processes attacker-controlled input and forwards it to StatsD.
Attack complexityDetail
Exploit conditions are straightforward and reliable, requiring no race conditions or special environmental setup beyond supplying input containing newlines, colons, or pipe characters.

Blast Radius

Attacker injects fabricated metric names and values into the StatsD stream, overwriting or spoofing application performance and business measurements.
Monitoring dashboards and alerting rules receive corrupted data, hiding real anomalies or triggering false alerts that obscure genuine incidents.
If metric-based autoscaling or rate-limiting decisions rely on StatsD data, injected values can manipulate those automated responses.

How HarborGuard Handles This

Available on HarborGuard: images containing Etsy::StatsD at any version through 1.002002 are flagged as soon as the CVE is matched against a customer registry or build pipeline. Because no upstream fix exists yet, HarborGuard re-evaluates the advisory on every ingest cycle and will generate a patched-image rebuild automatically once a remediated version is released; customers with auto-remediation enabled will receive a regression-test run and a PR opened against affected workloads at that point. While no fix is available, recommended compensating controls include isolating StatsD listener ports behind strict network policy so only trusted application pods can write to the backend, validating and sanitizing all external input before it reaches any Etsy::StatsD call at the application layer, and applying egress filtering to prevent unexpected StatsD traffic from reaching monitoring infrastructure. For customers who opt into auto-remediation, the rebuild-and-PR flow will trigger without manual intervention the moment an upstream release is confirmed.

See how HarborGuard automates this

Affected packages

SANBEG / Etsy::StatsD
≤ 1.002002

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Metrics

Get notified