CVE-2026-8788
7.3 HIGHNet::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections
Published: 2026-05-18 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 7.3 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- CWE
- CWE-93
Description
Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-12143 — form-data is a library for creating readable multipart/form-data streams (7.5 HIGH)
- CVE-2026-50629 — The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing ... (5.3 MEDIUM)
- CVE-2026-49214 — guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP (5.3 MEDIUM)
- CVE-2026-50639 — Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections (6.5 MEDIUM)
- CVE-2026-50638 — Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections (9.1 CRITICAL)