QSearchQSearch

CVE-2026-50638

Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections

Published: 2026-06-10 · Last updated: 2026-06-10

Severity and scoring

CWE
CWE-93

Description

Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-50639 Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections (6.5 MEDIUM)
  • CVE-2026-50637 Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections
  • CVE-2026-49756 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via att...
  • CVE-2026-9270 DataDog::DogStatsd versions through 0.07 for Perl allow metric injections (9.1 CRITICAL)
  • CVE-2026-11362 DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags (9.8 CRITICAL)